HTTPS Vulnerability

The place for what's new and going on in the tech, innovation, and science world.

HTTPS Vulnerability

Postby rapier57 » Fri Aug 02, 2013 4:40 pm

This was described at BlackHat and listed at US-CERT:

http://www.kb.cert.org/vuls/id/987798

The conditions that allow the exploit are:

[In order to conduct the attack, the following conditions must be true]:
1. HTTPS-enabled endpoint (ideally with stream ciphers like RC4, although the attack can be made to work with adaptive padding for block ciphers).
2. The attacker must be able to measure the size of HTTPS responses.
3. Use of HTTP-level compression (e.g. gzip).
4. A request parameter that is reflected in the response body.
5. A static secret in the body (e.g. CSRF token, sessionId, VIEWSTATE, PII, etc.) that can be bootstrapped (either first/last two characters are predictable and/or the secret is padded with something like KnownSecretVariableName="".
6. An otherwise static or relatively static response. Dynamic pages do not defeat the attack, but make it much more expensive.


So, it looks to be a pretty narrow set of criteria at this point. That will probably change as more folks look at the issue. This isn't a trivial exploit, at this time. I suspect there will be patches to HTTPS server and client sides before long, though.
Rapier57.

Jayne: Testing. Testing. Captain, can you hear me?
Mal: I'm standing right here.
Jayne: You're coming through good and loud.
Mal: 'Cause I'm standing right here.


@rapier57
User avatar
rapier57
I've posted HOW many
 
Posts: 3113
Joined: Thu Mar 02, 2006 10:43 pm
Location: Spokane, WA USA

Return to Tech News Zone

Who is online

Users browsing this forum: No registered users and 9 guests