HTTPS Hackable In 30 Seconds: DHS Alert

[wraith808]

Reported on informationweek.

Security experts are warning website operators to test whether their HTTPS traffic is vulnerable to a new crypto attack that can be used to grab sensitive information.
The so-called BREACH attack -- short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext -- was detailed in a Department of Homeland Security (DHS) "BREACH vulnerability in compressed HTTPS" advisory, issued Friday, which warned that "a sophisticated attacker may be able to derive plaintext secrets from the ciphertext in an HTTPS stream." All versions of the transport layer security (TLS) and secure sockets layer (SSL) protocols are vulnerable.

Full details of the vulnerability were first unveiled Thursday at the Black Hat conference in Las Vegas by Salesforce.com lead product security engineer Angelo Prado, Square application security engineer Neal Harris, and Salesforce.com lead security engineer Yoel Gluck. Their man-in-the-middle HTTPS crypto attack involves watching "the size of the cipher text received by the browser while triggering a number of strategically crafted requests to a target site," according to exploit details provided by Prado to DHS. "To recover a particular secret in an HTTPS response body, the attacker guesses character by character, sending a pair of requests for each guess. The correct guess will result in a smaller HTTPS response," he said.

more at link.

[Renegade]

As if I wasn't depressed enough already... 

[wraith808]

From article:

Still, the BREACH exploit vector carries caveats. "Researchers say that attackers must have access to passively monitor the target's Internet traffic," French said. "In most cases, monitoring would have to be done locally on the same network -- and that adds a layer of difficulty for hackers."

So you have to be able to intercept on site, so it's not as bad as it seems... but yeah. 

[Renegade]

I'm more worried about the criminals at the Pentagon and similar, and not so much about the low-level criminals elsewhere. The local network access doesn't make much difference.

[Stoic Joker]

I'm more worried about the criminals at the Pentagon and similar, and not so much about the low-level criminals elsewhere. The local network access doesn't make much difference.

-Renegade (August 06, 2013, 09:26 AM)

I was just chuckling about that one myself. If the DHS is telling us about a "Security Flaw", then it's obviously one they've already vetted thoroughly and feel is too unreliable for them to use ...(for business purposes)... So just let the kids play with it.

[40hz]

DHS issued an alert?

All of a sudden these guys are working for us again? What's up with that?

[wraith808]

DHS issued an alert?

All of a sudden these guys are working for us again? What's up with that?

-40hz (August 06, 2013, 01:09 PM)

No... note that it was brought up by an independent researcher at Black Hat.  They were reporting something that had been found out by someone else.

[4wd]

DHS issued an alert?

All of a sudden these guys are working for us again? What's up with that?

-40hz (August 06, 2013, 01:09 PM)

I was going to say it's the old Bad Cop, Good Cop routine.

First they hit with the news that you ain't going to be safe on TOR, then they come across all friendly by giving you a heads-up where you might be vulnerable.

All the while, what they're really trying to do is screw you over some other way.