Author Topic: HTTPS Hackable In 30 Seconds: DHS Alert (Read 863 times)

kenjoe41 · « **on:** August 13, 2013, 02:13:10 AM »

Department of Homeland Security urges all website operators to review whether they're vulnerable to new crypto attack. No easy fix exists.he so-called BREACH attack -- short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext -- was detailed in a Department of Homeland Security (DHS) "BREACH vulnerability in compressed HTTPS" advisory, issued Friday, which warned that "a sophisticated attacker may be able to derive plaintext secrets from the ciphertext in an HTTPS stream." All versions of the transport layer security (TLS) and secure sockets layer (SSL) protocols are vulnerable.

http://www.informationweek.com/security/attacks/https-hackable-in-30-seconds-dhs-alert/240159435

vezzy · « **Reply #1 on:** August 13, 2013, 02:16:39 AM »

All of the SSL attacks thus far have relied on exploiting HTTP compression, to the best of my knowledge.

Haven't really researched BREACH that much, but it's nice to see some panicking.

proxx · « **Reply #2 on:** August 13, 2013, 06:12:10 AM »

Nice, HTTPS has been relatively secure except for the few attacks that have been effective.
Is there any tool or so released ? want to try it.

kenjoe41 · « **Reply #3 on:** August 13, 2013, 12:28:24 PM »

This vulnerability was disclosed at the recent blackhat conference and the researchers promised to release a tool soon that will enable companies test there networks. The say they built there exploit from builds on the Compression Ratio Info-leak Made Easy (CRIME) exploit.

Quote

"It's a very powerful tool that -- if you know how to use it under certain conditions and you know who you're targeting -- you could potentially compromise the security of their channel without them being aware. The victim is not going to see any certificate errors," says Angelo Prado, lead product security engineer at Salesforce.com, who, together with Neal Harris, application security engineer at Square, will be presenting information in a session titled "SSL, Gone in 30 Seconds-A BREACH beyond CRIME." "The attack is going to rely on being able to piggyback on the victim's browser."

proxx · « **Reply #4 on:** August 13, 2013, 12:32:19 PM »

Thats kinda nice of them , are they obligated to do so? (I think they are)
CRIME I indeed followed as it was supposed to be The next big exploit in https.... radiosilence.
Ill wait for them tool and play with it.

Mordred · « **Reply #5 on:** August 13, 2013, 08:04:53 PM »

This is a bit worrisome to say the least. I always viewed SSL as being one of the truly masterfully-crafted security protocols out there.

As usual, don't take anything for granted I guess.

Thank you for the info kenjoe41, a cookie for you sir!

vezzy · « **Reply #6 on:** August 13, 2013, 08:29:18 PM »

Quote from: Mordred on August 13, 2013, 08:04:53 PM

This is a bit worrisome to say the least. I always viewed SSL as being one of the truly masterfully-crafted security protocols out there.

All of the SSL exploits thus far haven't really targeted the RC4 backbone, so much as side channels like info leakage, known-plaintext and size analysis to predict input.

I'm not really sure about just how well RC4 is implemented in SSL, but just look at how well it went with WEP.

Author Topic: HTTPS Hackable In 30 Seconds: DHS Alert (Read 863 times)

kenjoe41

HTTPS Hackable In 30 Seconds: DHS Alert

vezzy

Re: HTTPS Hackable In 30 Seconds: DHS Alert

proxx

Re: HTTPS Hackable In 30 Seconds: DHS Alert

kenjoe41

Re: HTTPS Hackable In 30 Seconds: DHS Alert

proxx

Re: HTTPS Hackable In 30 Seconds: DHS Alert

Mordred

Re: HTTPS Hackable In 30 Seconds: DHS Alert

vezzy

Re: HTTPS Hackable In 30 Seconds: DHS Alert