Google And Microsoft Recommend A Cheap Fix For Broken Secure HTTP

Hard on the heels of a September 23 demonstration showed that Secure HTTP is no longer all that secure, Google and Microsoft have both recommended that Web sites dodge the problem by changing the encryption they use. (And how often do these guys agree on anything?) Many E-Commerce sites use the Advanced Encryption Standard (AES) for encryption, but AES is vulnerable to the security hole demonstrated last week. However, the older RC4 is immune to this particular attack, and that's what Google and Microsoft recommend E-Commerce sites (and other sites receiving sensitive data such as payment-card numbers) use.

Does this demand an emergency fix? No, but it's more serious than many experts thought before last Friday's demonstration. Security researchers Juliano Rizzo and Thai Duong required only two minutes to break into a PayPal user's encrypted session—fast enough to make their attack feasible for cyberthieves (although still extremely difficult, at least until some thoughtful hacker turns it into a script any 13-year-old can use). But switching from AES to RC4 is relatively painless for online retailers. The real fix will require upgrading security protocols on hundreds of millions of Web browsers and servers.