Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 08, 2016, 12:09:03 PM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: HTTPS Hackable In 30 Seconds: DHS Alert  (Read 2668 times)

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,406
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
HTTPS Hackable In 30 Seconds: DHS Alert
« on: August 06, 2013, 07:59:26 AM »
Reported on informationweek.

Quote
Security experts are warning website operators to test whether their HTTPS traffic is vulnerable to a new crypto attack that can be used to grab sensitive information.
The so-called BREACH attack -- short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext -- was detailed in a Department of Homeland Security (DHS) "BREACH vulnerability in compressed HTTPS" advisory, issued Friday, which warned that "a sophisticated attacker may be able to derive plaintext secrets from the ciphertext in an HTTPS stream." All versions of the transport layer security (TLS) and secure sockets layer (SSL) protocols are vulnerable.

Full details of the vulnerability were first unveiled Thursday at the Black Hat conference in Las Vegas by Salesforce.com lead product security engineer Angelo Prado, Square application security engineer Neal Harris, and Salesforce.com lead security engineer Yoel Gluck. Their man-in-the-middle HTTPS crypto attack involves watching "the size of the cipher text received by the browser while triggering a number of strategically crafted requests to a target site," according to exploit details provided by Prado to DHS. "To recover a particular secret in an HTTPS response body, the attacker guesses character by character, sending a pair of requests for each guess. The correct guess will result in a smaller HTTPS response," he said.

more at link.

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,220
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: HTTPS Hackable In 30 Seconds: DHS Alert
« Reply #1 on: August 06, 2013, 08:03:07 AM »
As if I wasn't depressed enough already...  :(
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,406
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Re: HTTPS Hackable In 30 Seconds: DHS Alert
« Reply #2 on: August 06, 2013, 09:07:25 AM »
From article:

Quote
Still, the BREACH exploit vector carries caveats. "Researchers say that attackers must have access to passively monitor the target's Internet traffic," French said. "In most cases, monitoring would have to be done locally on the same network -- and that adds a layer of difficulty for hackers."

So you have to be able to intercept on site, so it's not as bad as it seems... but yeah.  :(


Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,220
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: HTTPS Hackable In 30 Seconds: DHS Alert
« Reply #3 on: August 06, 2013, 09:26:47 AM »
I'm more worried about the criminals at the Pentagon and similar, and not so much about the low-level criminals elsewhere. The local network access doesn't make much difference. :(
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,296
    • View Profile
    • www.StoicJoker.com
    • Donate to Member
Re: HTTPS Hackable In 30 Seconds: DHS Alert
« Reply #4 on: August 06, 2013, 11:44:49 AM »
I'm more worried about the criminals at the Pentagon and similar, and not so much about the low-level criminals elsewhere. The local network access doesn't make much difference. :(

I was just chuckling about that one myself. If the DHS is telling us about a "Security Flaw", then it's obviously one they've already vetted thoroughly and feel is too unreliable for them to use ...(for business purposes)... So just let the kids play with it.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,768
    • View Profile
    • Donate to Member
Re: HTTPS Hackable In 30 Seconds: DHS Alert
« Reply #5 on: August 06, 2013, 01:09:28 PM »
DHS issued an alert?

All of a sudden these guys are working for us again? What's up with that? :huh:


wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,406
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Re: HTTPS Hackable In 30 Seconds: DHS Alert
« Reply #6 on: August 06, 2013, 01:28:14 PM »
DHS issued an alert?

All of a sudden these guys are working for us again? What's up with that? :huh:



No... note that it was brought up by an independent researcher at Black Hat.  They were reporting something that had been found out by someone else.

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 4,474
    • View Profile
    • Donate to Member
Re: HTTPS Hackable In 30 Seconds: DHS Alert
« Reply #7 on: August 06, 2013, 10:44:32 PM »
DHS issued an alert?

All of a sudden these guys are working for us again? What's up with that? :huh:

I was going to say it's the old Bad Cop, Good Cop routine.

First they hit with the news that you ain't going to be safe on TOR, then they come across all friendly by giving you a heads-up where you might be vulnerable.

All the while, what they're really trying to do is screw you over some other way.