More Trouble for SSL/TLS

Besides CRIME, BEAST and Lucky13, two new attacks for SSL/TLS have been just announced. One attack exploits weaknesses in the RC4 cypher, which is used by most websites starting from Gmail, and many cryptographers had been thinking about this possibility for a long time, now they found out how. The second attack, called TIME; is a new timing attack, in part a refinement of CRIME.

As of today, both attacks are not practical, but they could become real threats in the future. Notice that the adoption of RC4 by many websites has been mostly to withstand BEAST attacks. Now that Lucky13 and this new attack aim at RC4, it is not clear what to do in practice.

Of course, we should seriously consider what to do with SSL/TLS and even more the CA model, but it will take a long time and I do not see among the big internet players, enough motivation or incentive to change the current situation.

You can find a summary description of these new attacks for example in this article by ArsTechnica.