EvilZone
Other => Found it on the Webs => : kenjoe41 August 13, 2013, 02:13:10 AM
-
Department of Homeland Security urges all website operators to review whether they're vulnerable to new crypto attack. No easy fix exists.he so-called BREACH attack -- short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext -- was detailed in a Department of Homeland Security (DHS) "BREACH vulnerability in compressed HTTPS" advisory (http://www.kb.cert.org/vuls/id/987798), issued Friday, which warned that "a sophisticated attacker may be able to derive plaintext secrets from the ciphertext in an HTTPS stream." All versions of the transport layer security (TLS) and secure sockets layer (SSL) protocols are vulnerable.
http://www.informationweek.com/security/attacks/https-hackable-in-30-seconds-dhs-alert/240159435 (http://www.informationweek.com/security/attacks/https-hackable-in-30-seconds-dhs-alert/240159435)
-
All of the SSL attacks thus far have relied on exploiting HTTP compression, to the best of my knowledge.
Haven't really researched BREACH that much, but it's nice to see some panicking.
-
Nice, HTTPS has been relatively secure except for the few attacks that have been effective.
Is there any tool or so released ? want to try it.
-
This vulnerability was disclosed at the recent blackhat conference and the researchers promised to release a tool soon that will enable companies test there networks. The say they built there exploit from builds on the Compression Ratio Info-leak Made Easy (CRIME) exploit (http://www.darkreading.com/vulnerability/https-side-channel-attack-a-tool-for-enc/240157583).
"It's a very powerful tool that -- if you know how to use it under certain conditions and you know who you're targeting -- you could potentially compromise the security of their channel without them being aware. The victim is not going to see any certificate errors," says Angelo Prado, lead product security engineer at Salesforce.com, who, together with Neal Harris, application security engineer at Square, will be presenting information in a session titled "SSL, Gone in 30 Seconds-A BREACH beyond CRIME." "The attack is going to rely on being able to piggyback on the victim's browser."
-
Thats kinda nice of them , are they obligated to do so? (I think they are)
CRIME I indeed followed as it was supposed to be The next big exploit in https.... radiosilence.
Ill wait for them tool and play with it.
-
This is a bit worrisome to say the least. I always viewed SSL as being one of the truly masterfully-crafted security protocols out there.
As usual, don't take anything for granted I guess.
Thank you for the info kenjoe41, a cookie for you sir!
-
This is a bit worrisome to say the least. I always viewed SSL as being one of the truly masterfully-crafted security protocols out there.
All of the SSL exploits thus far haven't really targeted the RC4 backbone, so much as side channels like info leakage, known-plaintext and size analysis to predict input.
I'm not really sure about just how well RC4 is implemented in SSL, but just look at how well it went with WEP.