> ...but that doesn't make it practical...

If I had a dime for every penny of damage caused when people downplay the practicality of attacks against deployed crypto...

75 hours is enough time to attack a laptop left plugged in at the office over a 3-day weekend, and there's no reason why you'd have to attack only one laptop at a time.

The paper also says, "capturing traffic for 52 hours already proved to be sufficient", so it's not like 75 hours is some hard minimum.

Also:

"Our attack is not limited to decrypting cookies. Any data or information that is repeatedly encrypted can be recovered."

"We can break a WPA-TKIP network within an hour."

RC4 is dead, dead, dead. As with MD5, the writing's been on the wall for a while now, and attacks are only going to get better.

The attack numbers are under artificially generated network traffic.

Yes, but we present several techniques on how to generate these amounts of data. For TLS and HTTPS you can use JavaScript. For WPA-TKIP you need control of one TCP connection, and that is enough to generate the data. We're not saying it's a point and click attack, but it's a very good reason to start worrying :)

"Attacks always get better; they never get worse." – The NSA[1]

[1] http://tools.ietf.org/html/rfc4270#section-6

I feel like we need a richer vocabulary for the security status of given crypto algorithms/implementations. It's great to be conservative and call everything that isn't perfect "broken", but it'd be nice to have an urgency coefficient to know whether "broken" means "someone will exploit this in a few years" or "the government could attack you with a $50mm cluster" or "your machine could be exploited while you're getting coffee" or even "there's a worm in the wild right now that uses this to spread".

It's hard to predict how crypto can handle against powerful adversaries or in time.

But if a couple guys can break something in 75 hours, knowing crypto attacks only get better, you can already consider this broken.