HTTPS Vulnerability

The place for what's new and going on in the tech, innovation, and science world.
Post Reply
User avatar
I've posted HOW many
Posts: 3127
Joined: Thu Mar 02, 2006 10:43 pm
Are you a Spammer: No
Location: Spokane, WA USA

HTTPS Vulnerability

Post: # 144115Post rapier57
Fri Aug 02, 2013 4:40 pm

This was described at BlackHat and listed at US-CERT:

The conditions that allow the exploit are:
[In order to conduct the attack, the following conditions must be true]:
1. HTTPS-enabled endpoint (ideally with stream ciphers like RC4, although the attack can be made to work with adaptive padding for block ciphers).
2. The attacker must be able to measure the size of HTTPS responses.
3. Use of HTTP-level compression (e.g. gzip).
4. A request parameter that is reflected in the response body.
5. A static secret in the body (e.g. CSRF token, sessionId, VIEWSTATE, PII, etc.) that can be bootstrapped (either first/last two characters are predictable and/or the secret is padded with something like KnownSecretVariableName="".
6. An otherwise static or relatively static response. Dynamic pages do not defeat the attack, but make it much more expensive.
So, it looks to be a pretty narrow set of criteria at this point. That will probably change as more folks look at the issue. This isn't a trivial exploit, at this time. I suspect there will be patches to HTTPS server and client sides before long, though.


Jayne: Testing. Testing. Captain, can you hear me?
Mal: I'm standing right here.
Jayne: You're coming through good and loud.
Mal: 'Cause I'm standing right here.


Post Reply