Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


HTTPS Hackable In 30 Seconds: DHS Alert
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

HTTPS Hackable In 30 Seconds: DHS Alert

"Security experts are warning website operators to test whether their HTTPS traffic is vulnerable to a new crypto attack that can be used to grab sensitive information.

The so-called BREACH attack -- short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext -- was detailed in a Department of Homeland Security (DHS) "BREACH vulnerability in compressed HTTPS" advisory, issued Friday, which warned that "a sophisticated attacker may be able to derive plaintext secrets from the ciphertext in an HTTPS stream." All versions of the transport layer security (TLS) and secure sockets layer (SSL) protocols are vulnerable"

http://www.informationweek.com/security/attacks/https-hackable-in-30-seconds-dhs-alert/240159435#mc_jive

Original issue from HS:

"By observing the length of compressed HTTPS responses, an attacker may be able to derive plaintext secrets from the ciphertext of an HTTPS stream."

http://www.kb.cert.org/vuls/id/987798

Questions to the gurus on this forum:

1) Does anyone know if this vulnerability can also impact use of other SSL/TLS types of access such as ssh or vpn?

2) If above is true, is does this mean the using VPN or SSH on public wifi is at risk?

3) Do we now need to consider additional encryption over HTTP/HTTPS?

4) Any special impact to VPS?

5) Any other constructive thoughts and comments welcome.

Comments

  • 6) Additional question, is there a category we can post security related questions? I did not find one, apologies if this was posted in wrong category.

  • perennateperennate Member, Host Rep

    1) BREACH relies on forcing web browser to make certain requests; these requests wouldn't be possible over SSH/VPN. Not to mention that there aren't any CSRF tokens or email addresses that can be grabbed.

    2) Not true.

    3) Not additional encryption. You should use HTTPS, but mitigate the BREACH attack by, for example, disabling compression.

    4) Um, yeah sure, HTTPS...

    5) Before worrying about BREACH, make sure you aren't vulnerable to older attacks on HTTPS .. -- https://www.ssllabs.com/ssltest/

  • MaouniqueMaounique Host Rep, Veteran

    I think any encryption is vulnerable as long as you know the exact plaintext before and after the encryption. There are ways to mitigate this, however.
    An attacker will need some information to start with. Some of it is already known for ssl.
    If the attacker knows key length, encryption method, encrypted and unencrypted same text, can also do some timed attacks, then the resources he needs to break the encryption are already significantly lower.

Sign In or Register to comment.