HTTPS hack

02/08/2013

The HTTPS security measures that are used to protect websites are susceptible to a new attack that can extract information in as little as 30 seconds.

The method, called BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext), was demonstrated at the Black Hat security conference in Las Vegas and works by targeting the data compression websites use in order to save bandwidth. The technique examines the size of the packet and then guesses the contents whilst sending probe requests back to the targeted website.

Having gained access a BREACH attack can then extract information such as email addresses, some types of security tokens and password reset links. It works against all versions of the widely used transport layer security (TLS) and secure sockets layer (SSL) protocols.

In order to perform an attack, an attacker needs to be able to passively monitor the traffic traveling between an end-user and website. The attack also requires the attacker to force the victim to visit a malicious link.

'HTTPS remains a good method of transmitting data online, but it certainly isn’t perfect,' said Jon French a Security Analyst at security firm AppRiver.  

'Many researchers and hackers are constantly trying to find flaws within the HTTPS protocol precisely because so many people rely on it. As a result, while BREACH is the latest tool for intercepting HTTPS traffic, it's not the only one out there.

'In order to use BREACH, researchers say that attackers must have access to passively monitor the target's internet traffic. In most cases, monitoring would have to be done locally on the same network and that adds a layer of difficulty for hackers. 

'Researchers plan on releasing it as a tool that can be used for testing, so businesses should take advantage of that and use it further secure their own systems. As more breakthroughs on HTTPS like this come on, it may end up spawning more secure methods of sending your data around on the internet.'