Threat of the Week: Can HTTPS Still Be Trusted?
The headlines coming out of the recent Black Hat security conference in Las Vegas will cause sweat to cascade down your face: “30-Second HTTPS Traffic Attack: No Fix,” screamed one publication.
Another had the story: “Step Into the Breach: HTTPS-Encrypted Web Cracked in 30 seconds.”
Here’s the problem: HTTPS is the secure socket connection over the Internet that allows data to be encrypted, so even if it is intercepted, it’s just Greek to the attacker. It’s the backbone of safe communication with online banking sites.
Except, as demonstrated at Black Hat by Salesforce.com staffers, it’s a relatively easy matter for a reasonably skilled attacker to piece together parts of what is being said in encrypted traffic. It requires work and a certain amount of luck, but when the pieces come together, the code can be deciphered by a savvy hacker.
Key parts of a banking session sometimes can be figured out in as little as 30 seconds, said the researchers at Black Hat.
Now, are you worried?
It gets worse. Even the U.S. Department of Homeland Security has taken note, issuing an advisory that details the nature of the problem, and then gloomily warns, “We are currently unaware of a practical solution to this problem.”
How the hack works is that the hacker exploits vulnerabilities in compression algorithms that are usually involved with HTTPS. Nicknamed the BREACH attack – Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext – in it the attacker modifies what the victim has input, then monitors what the website returns and in that way arrives at educated guesses about the exact content.
Note: this is not an easy attack, pointed out Justin Seitz, senior security researcher at Immunity, Inc., who said in an interview that the attacker would need to gain familiarity with a particular Web target – a credit union’s home banking page, for instance – and learn what encrypted information typically is on it.
Then he would need to find a susceptible victim who commonly would be using a public WiFi – at a coffee shop or an airport, for instance. “That will let us control the Web traffic,” said Seitz.
The attacker also needs to be able to make very smart guesses about the nature of the content, in order to game the system into divulging its secrets,
Add it all up, said Seitz, and “SSL [Secure Sockets Layer] has not been defeated. HTTPS is not dead. Even with this attack I could only extract certain info.”
“Can you do it in 30 seconds,” asked Seitz. “Yes – after you have done hours of research and found a victim.”
He added, however, that if criminals were to find ways to automate this work, then there well could be serious problems for sites that depend on HTTPS.
BREACH has been proven in concept – and in prior Black Hat conferences similar HTTPS attacks were revealed – so the question has to be, how much damage has been done to banking and e-commerce as a result?
Not much, said Rohit Sethi, a vice president at Security Compass. “We have not seen a whole lot of this in the wild,” noted Sethi, who also predicted that were the attacks to be automated, the volume – and the associated damages – would vault upwards.
Good news also comes from John Michener, chief scientist at security company Casaba, who said he recently worked with a client – a large credit card processor that he did not name – to defeat this attack and it is simple. “We turned off compression,” said Michener.
He elaborated that the “bandwidth hit” – the increase in Internet traffic volume and the attendant costs – “is quite small in finance.” So he sees this as a fast way to remove a financial institution or processor from the BREACH crosshairs.
Seitz said likewise: “It’s feasible for a credit union to turn off compression, It would defeat this attack.” He added: “A large bank would be looking at millions of dollars in bandwidth cost. Smaller institutions have an advantage here.”
Turning off compression also is on the top of the list of Homeland Security suggested mitigations.
So, for institutions concerned about this attack – and per Homeland Security, there are plentiful reasons to be concerned – there also is a quick fix that should be implemented at the soonest, said multiple experts.