TweakTown
Tech content trusted by users in North America and around the world
6,098 Reviews & Articles | 39,135 News Posts

'BREACH' can hack HTTPS in 30 seconds, nothing is secure

Latest hack can get HTTPS data within 30 seconds

| Current Affairs News | Posted: Aug 6, 2013 1:19 pm

One would think this is fear mongering, but it's real, and it's here. Security experts are now warning website operators to test their HTTPS traffic, as it might be vulnerable to a new crypto attack that can be used to take users' information.

 

TweakTown image news/3/2/32163_03_breach_can_hack_https_in_30_seconds_nothing_is_secure.png

 

The attack is called Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext, or BREACH, and was detailed in a Department of Homeland Security (DHS) "BREACH vulnerability in compressed HTTPS" advisory issued on Friday. The DHS warned that "a sophisticated attacker may be able to derive plaintext secrets from the ciphertext in an HTTPS stream."

 

The vulnerability was exposed last Thursday at the Black Hat conference in Las Vegas by Salesforce.com Lead Product Security Engineer, Neal Harris, along with Salesforce.com Lead Security Engineer, Yoel Gluck. Their HTTPS crypto attack can watch "the size of the cipher text received by the browser while triggering a number of strategically crafted requests to a target site" according to exploit details provided to the DHS by Prado.

 

He said: "To recover a particular secret in an HTTPS response body, the attacker guesses character by character, sending a pair of requests for each guess. The correct guess will result in a smaller HTTPS response. In practice, we have been able to recover CSRF tokens with fewer than 4,000 requests. A browser like Google Chrome or Internet Explorer is able to issue this number of requests in under 30 seconds, including callbacks to the attacker command and control center."

 

This reportedly only affects compressed HTTPS traffic, but there needs to be attention bought to the security of our privacy. You can read more on this scary new security breach, here.

NEWS SOURCES:Informationweek.com

Related Tags

Further Reading: Read and find more Current Affairs news at our Current Affairs news index page.

Do you get our news RSS feed? Get It!

Got an opinion on this news? Post a comment below!

Latest Tech News Posts

View More News Posts

Forum Activity

View More Forum Posts

Press Releases

View More Press Releases