While I agree that RC4 should die in a fire, this attack seems impractical to me.<p>> To successfully decrypt a 16-character cookie with a success probability of 94%, roughly 9x2^27 encryptions of the cookie need to be captured. Since we can make the client transmit 4450 requests per seconds, this amount can be collected in merely 75 hours.<p>How likely would that amount of network traffic and energy consumption cue the potential victim that something malicious is going on?
As Roy T. Fieldings once said in his research paper, "Cookie-based applications on the Web will never be reliable!"
<a href="https://www.ics.uci.edu/~fielding/pubs/dissertation/evaluation.htm" rel="nofollow">https://www.ics.uci.edu/~fielding/pubs/dissertation/evaluati...</a>
Section 6.3.4.2
Does anyone else find it ironic that not only is this link HTTP, but HTTPS is broken for this domain?<p><a href="https://www.rc4nomore.com/" rel="nofollow">https://www.rc4nomore.com/</a><p>Hopefully the NSA MITMs it with an "RC4 is fffiiinnneee" message.
I feel "practical" is too strong of a word here. It's probably a <i></i>more<i></i> practical attack than previous attacks, but that doesn't make it practical by a long stretch.<p>"Only" 75 hours, where you have to force the victim to do make a very large number of encrypted messages. IMO, this wouldn't work when trying to break someone's SSL connection at the local Starbucks.
The keys they used were only 128 bits, whereas RC4 actually supports up to 2048 bits. I wonder how much that affects their results. (AFAIK the 128 bits is an export restriction thing, upgraded from the previous trivially-breakable 40 bits.)<p>Also, 16 characters seems awfully short for a cookie, especially one meant for authentication purposes.