Low cardinality nonce in encrypted sessions allows decrypt some of them when enough are intercepted

[amol-]

As pointed out by @alex if an user is able to sniff enough sessions (nearly 16,777,216) it is possible to decrypt some of them. This is caused by nonces repeating due to only 48bits of cardinality.

For short term raising cardinality of nonce to 128bits could provide enough security, but there is suggestion to switch also to an easier to use and more secure solution like https://cryptography.io/en/latest/fernet/ for symmetric enciphering.

Target is to release a 1.7.1 with 128bits nonces and then consider another solution for future releases. It will be necessary to provide a way to support previously encrypted sessions without breaking them for web sites already on production.

[amol-]

https://github.com/bbangert/beaker/commit/7a57ac7a108e3dd14a66dc49abb093c56b959e29 should provide a temporary fix for 1.8.0 while we consider other encryption functions.