ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

HTTPS Hackable In 30 Seconds: DHS Alert

(1/2) > >>

wraith808:
Reported on informationweek.

Security experts are warning website operators to test whether their HTTPS traffic is vulnerable to a new crypto attack that can be used to grab sensitive information.
The so-called BREACH attack -- short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext -- was detailed in a Department of Homeland Security (DHS) "BREACH vulnerability in compressed HTTPS" advisory, issued Friday, which warned that "a sophisticated attacker may be able to derive plaintext secrets from the ciphertext in an HTTPS stream." All versions of the transport layer security (TLS) and secure sockets layer (SSL) protocols are vulnerable.

Full details of the vulnerability were first unveiled Thursday at the Black Hat conference in Las Vegas by Salesforce.com lead product security engineer Angelo Prado, Square application security engineer Neal Harris, and Salesforce.com lead security engineer Yoel Gluck. Their man-in-the-middle HTTPS crypto attack involves watching "the size of the cipher text received by the browser while triggering a number of strategically crafted requests to a target site," according to exploit details provided by Prado to DHS. "To recover a particular secret in an HTTPS response body, the attacker guesses character by character, sending a pair of requests for each guess. The correct guess will result in a smaller HTTPS response," he said.

--- End quote ---

more at link.

Renegade:
As if I wasn't depressed enough already...  :(

wraith808:
From article:

Still, the BREACH exploit vector carries caveats. "Researchers say that attackers must have access to passively monitor the target's Internet traffic," French said. "In most cases, monitoring would have to be done locally on the same network -- and that adds a layer of difficulty for hackers."

--- End quote ---

So you have to be able to intercept on site, so it's not as bad as it seems... but yeah.  :(

Renegade:
I'm more worried about the criminals at the Pentagon and similar, and not so much about the low-level criminals elsewhere. The local network access doesn't make much difference. :(

Stoic Joker:
I'm more worried about the criminals at the Pentagon and similar, and not so much about the low-level criminals elsewhere. The local network access doesn't make much difference. :( -Renegade (August 06, 2013, 09:26 AM)
--- End quote ---

I was just chuckling about that one myself. If the DHS is telling us about a "Security Flaw", then it's obviously one they've already vetted thoroughly and feel is too unreliable for them to use ...(for business purposes)... So just let the kids play with it.

Navigation

[0] Message Index

[#] Next page

Go to full version