Feeds

Step into the BREACH: HTTPS encrypted web cracked in 30 seconds

Online banking, webmail, shopping hacked and slurped in new crypto attack

Top 5 reasons to deploy VMware with Tegile

Black Hat 2013 A new hacking technique dubbed BREACH can extract login tokens, session ID numbers and other sensitive information from SSL/TLS encrypted web traffic, say researchers.

Secret data crucial to securing online banking and shopping can be lifted from an HTTPS channel in as little as 30 seconds, we're told.

BREACH (short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext) attacks the common Deflate data compression algorithm used to save bandwidth in web communications. The exploit is a development of the earlier Compression Ratio Info-leak Made Easy (CRIME) exploit, which also involved turning compression of encrypted web requests against users.

The code-breaking research behind BREACH was unveiled by security researchers Angelo Prado, Neal Harris and Yoel Gluck during a presentation at the Black Hat hacking conference in Las Vegas on Thursday.

All versions of TLS/SSL are at risk from BREACH regardless of the encryption algorithm or cipher that's in play, the trio said.

The attacker just has to continually eavesdrop on the encrypted traffic between a victim and a web server before tricking marks into visiting a website under the miscreant's control.

The attacker's booby-trapped website hosts a script that runs the second phase of the attack: this forces the victim's browser to visit the targeted website thousands of times, over and over, each time appending a different combination of extra data. When the attacker-controlled bytes match any bytes originally encrypted in the stream, the browser's compression kicks in and reduces the size of the transmission, a subtle change the eavesdropper can detect.

This data leakage - a type of Oracle attack - means an eavesdropper can gradually piece together an email address or security token in a HTTPS exchange, byte by byte, using a technique akin to a high-tech game of Battleships. The time needed to perform a successful attack, and how many requests need to be sent, is dependant of the size of the secret information attackers are targeting, Ars Technica notes.

The leaked data provides enough clues to decrypt a user's supposedly protected cookies or other targeted content. The recovery of secret authentication cookies open the door for attackers to pose as their victims and hijack authenticated web sessions, among other attacks, the British Computer Society (BCS) notes in a blog post.

The practical upshot is that tokens and other sensitive information sent over SSL connections could be lifted even though the encrypted contents of emails and one-off orders sent to e-commerce websites are beyond the scope of the attack. Prado, Harris and Gluck released tools to test whether websites are vulnerable to BREACH, as well as techniques to defend against the exploit during their presentation at Black Hat.

Not so lucky

BREACH is the latest in a growing list of attacks against HTTPS encryption, the internet's gold standard for secure communication, following attacks such as CRIME, BEAST, Lucky 13 and others.

During a debate at Black Hat, security researchers expressed fears that over the medium term algorithms such as RSA and Diffie-Hellman will be weakened or broken as a result of advances in crypto-analysis as well as the development of attacks such as BREACH.

“There’s a small, but definite chance that RSA and non-ECC Diffie-Hellman will not be usable for security purposes within two to five years,” said Alex Stamos of Artemis Internet, a division of iSEC Partners. “We’re not saying this is definite," he added.

Kaspersky Lab's Threatpost blog has more on the debate here. Stamos is not alone in looking forward towards the end of life of cryptographic tools and techniques that have served us well but are increasing showing their age. The RSA algorithm is about to turn 40, for example.

Adi Shamir (the S in RSA) urged security researchers to think about post-cryptography security during a debate at the RSA Conference cryptographers' panel session back in March. ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.