One would think this is fear mongering, but it's real, and it's here. Security experts are now warning website operators to test their HTTPS traffic, as it might be vulnerable to a new crypto attack that can be used to take users' information.
The attack is called Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext, or BREACH, and was detailed in a Department of Homeland Security (DHS) "BREACH vulnerability in compressed HTTPS" advisory issued on Friday. The DHS warned that "a sophisticated attacker may be able to derive plaintext secrets from the ciphertext in an HTTPS stream."
The vulnerability was exposed last Thursday at the Black Hat conference in Las Vegas by Salesforce.com Lead Product Security Engineer, Neal Harris, along with Salesforce.com Lead Security Engineer, Yoel Gluck. Their HTTPS crypto attack can watch "the size of the cipher text received by the browser while triggering a number of strategically crafted requests to a target site" according to exploit details provided to the DHS by Prado.
He said: "To recover a particular secret in an HTTPS response body, the attacker guesses character by character, sending a pair of requests for each guess. The correct guess will result in a smaller HTTPS response. In practice, we have been able to recover CSRF tokens with fewer than 4,000 requests. A browser like Google Chrome or Internet Explorer is able to issue this number of requests in under 30 seconds, including callbacks to the attacker command and control center."
This reportedly only affects compressed HTTPS traffic, but there needs to be attention bought to the security of our privacy. You can read more on this scary new security breach, here.