A lot of cryptographic mistakes people make, you can blame on the 1990s. For instance, the ubiquitous CBC padding oracle (most recently of TLS "Lucky 13" fame) is the product of MAC-then-encrypt constructions, where attackers are given the privilege of manipulating ciphertext without having it checked by a MAC. We didn't have a mathematical proof to tell us not to do mac-then-encrypt until <i>after</i> the 1990s. So if you have that bug, you might consider blaming the 1990s.<p>But using the same RC4 key in both directions of an encrypted transport isn't just a bug known in the 1990s; it is the emblematic cryptographic attack of the 1990s, the one crypto flaw that even non-crypto pentesters could reliably deploy. For instance, bidirectionally shared RC4 keys broke the Microsoft VPN scheme, a bug discovered by Peter "Mudge" Zatko when there was still a L0pht Heavy Industries.<p>So my point is, this is a bit sad.<p>I should add, recycling the keystream of a stream cipher is worse than he makes it sound. The attack he's describing is called "crib dragging" and implies that an attacker has access to plaintext. But attackers don't need access to plaintext to attack repeated-key XOR, which is what a set of ciphertexts encrypted under the same stream cipher keystream works out to be.
Here's what I'm sad about. Does every single web and mobile app that gets made by anyone these days now require an extensive knowledge of how to do security right? If so, that sucks, given how big the field is. Or do we all need to go and hire tptacek for a quarterly security audit? I imagine that can get quite expensive. It really gets in the way of just making things and putting them up; I think kind of kills the spirit of creation and entrepreneurship. :( I mean, it's great for people who are truly interested in security, but what if you're not? Are you doomed to fail at the startup game if you don't know security well?
I'm surprised they'd make such a rookie mistake when there are hundreds of good encryption methods online to crib from, just a Google search away.
I love how exactly this mistake is covered in detail in the first week of Dan Boneh's crypto course:<p><pre><code> https://class.coursera.org/crypto-008/class
</code></pre>
The Russians made the same mistake in WWII, but Whatsapp shows the relevance today.
<a href="https://heml.is/" rel="nofollow">https://heml.is/</a> currently looks like the best concept of a solution to the problem - if they keep their promise:<p>> Will it be Open Source?<p>> We have all intentions of opening up the source as much as possible for scrutiny and help!<p>But it's not done yet.