New Attack Steals SSNs, E-mail Addresses, and More From HTTPS Pages

Security researchers at KU Leuven have discovered an attack technique, dubbed HEIST (HTTP Encrypted Information can be Stolen Through TCP-Windows), which can exploit an encrypted website using only a JavaScript file hidden in a maliciously crafted ad or page. ArsTechnica reports: Once attackers know the size of an encrypted response, they are free to use one of two previously devised exploits to ferret out the plaintext contained inside it. Both the BREACH and the CRIME exploits are able to decrypt payloads by manipulating the file compression that sites use to make pages load more quickly. HEIST will be demonstrated for the first time on Wednesday at the Black Hat security conference in Las Vegas. "HEIST makes a number of attacks much easier to execute," Tom Van Goethem, one of the researchers who devised the technique, told Ars. "Before, the attacker needed to be in a Man-in-the-Middle position to perform attacks such as CRIME and BREACH. Now, by simply visiting a website owned by a malicious party, you are placing your online security at risk." Using HEIST in combination with BREACH allows attackers to pluck out and decrypt e-mail addresses, social security numbers, and other small pieces of data included in an encrypted response. BREACH achieves this feat by including intelligent guesses -- say, @gmail.com, in the case of an e-mail address -- in an HTTPS request that gets echoed in the response. Because the compression used by just about every website works by eliminating repetitions of text strings, correct guesses result in no appreciable increase in data size while incorrect guesses cause the response to grow larger.

Vulnerability names...

Keep getting more stupid by the hour

Re:Vulnerability names...

[Maritz]

I'll just pre-empt the next few here... THIEF / 5TEAL/ T4KEY / O0-I-WANT / GIMME-MINE /

Re:Vulnerability names...

You forgot the new defense protocol: N4CH0 K3YZ.

Re:Vulnerability names...

Are those keys spicy?

so once again...

using only a JavaScript file hidden in a maliciously crafted ad or page

So we learn for the 1940390155th time that if you let a remote site run arbitrary scripts on your machine, that remote site might do things that are not in your best interest. Surprise surprise.

Look: we get a constant stream of these things, at least one or two per week, literally for over 10 years. They're all the same. "Run javascript, get pwned". If you care AT ALL about security, you need to block javascript by default and white-list a few sites you care about, like your bank.

If you are still running javascript by default, in 2016, that's on you. You've had over a decade to learn your lesson. This is like someone walking through the worst part of town at 3am flashing jewels and expensive watches. Then they get mugged. Is it the muggers fault? Yeah, of course it is. But the person doing this is still a bloody idiot, especially after it happens for the 10th time, and then the 20th, and the 50th, and the 100th. Eventually, they need to learn from experience.

Whitelist selected javascript, and disable everything else. It's time. It was a bad idea just like ActiveX was. The internet is not your friend. Random domains are not trustworthy. Stop letting them run code in your browser. Ignorance stops being a reasonable excuse after endless repetitions of "See this incredible new exploit(*)! (*) that requires you let the attacker run code on your computer."

Re:so once again...

I'm not so sure. It is easy for 99.9% of the population to understand why they got mugged. It is not as easy for people to understand why their information was stolen. There isn't a guy walking up with "javascript" written on his shirt that takes your information and then you go "ah ha - I better not allow javascript around me".

Not everyone reads this site (in fact, most people don't) so while you think everyone knows about this, they don't. Most people couldn't tell you what javascript is.

Re:so once again...

Maybe so. But that is why we need some level of basic technical literacy, just like we expect people to have some basic awareness of geography or their own health. It does not mean they have to be hardcore technical experts, but having at least some notion of what's going on will lead to them fairing better than pure ignorance alone will.

Rather than teaching rote memorization of how to use Microsoft Word in schools, we should be teaching concepts and fundamentals, so people can make educated choices in their own lives. Computing is now fundamental to the whole modern world, and it's not going away.

Re:so once again...

[Frosty+Piss]

"Run javascript, get pwned". If you care AT ALL about security, you need to block javascript by default and white-list a few sites you care about, like your bank.

I understand, really I do. But for most people this approach is not practical because 99.999 percent of the web sites out there that most people visit use JavaScript for functionality.

Re:so once again...

[WaffleMonster]

So we learn for the 1940390155th time that if you let a remote site run arbitrary scripts on your machine, that remote site might do things that are not in your best interest. Surprise surprise.

Look: we get a constant stream of these things, at least one or two per week, literally for over 10 years. They're all the same. "Run javascript, get pwned". If you care AT ALL about security, you need to block javascript by default and white-list a few sites you care about, like your bank.

If you are still running javascript by default, in 2016, that's on you. You've had over a decade to learn your lesson.

No we learned that compression is vulnerable to side channel attacks something we all knew and nothing more.

Your view is strange given the unfortunate nature of many top sites employing CDNs to pipe out all manner of java frameworks and half the content of their sites and crap. What you are essentially advocating is a nonstarter. NOTHING works without JavaScript today and expecting people to make judgments about validity of specific script files is a complete nonstarter.

There are persistent streams of javascript implementation bugs and browser implementation bugs and style sheet implementation bugs and operating system implementation bugs which regularly require attention to prevent exploitation. It is easy to pull the plug and declare all security problems solved yet this course of action does not actually help anyone.

Re:so once again...

Yeah... it's become kind of chicken and egg though. They all use it (for a bunch of crap that doesn't need scripting at all) because everyone has it enabled by default. So one feeds on the other. If people would move away from enabling it all the time, then sites would back away too, and reserve it for the things that really would need it.

Re:so once again...

[spiritwave]

I want to boost your comment with my "moderator points", but my script blocker only allows the obvious /. domains (slashdot,org, and slashdotmedia.com), so the script running the moderator system coincidentally doesn't work here.

I suppose while I'm here, I should inject my newbie /. request to learn what domain(s) I should unblock for scripting purposes here, so plz feel free to enlighten me on this front.

I also suppose, along my starting sentences with "I" run, that probably everyone reading /. knows about script blocking, but security issues among the mainstream public are seriously problematic (at least in terms of potential attack vectors). It's not a knock against your valid point, but just a reasonably relevant informational nook where people can feel free to discuss it fwiw.

Re:so once again...

[mujadaddy]

I want to boost your comment with my "moderator points", but my script blocker only allows the obvious /. domains (slashdot,org, and slashdotmedia.com), so the script running the moderator system coincidentally doesn't work here.

I suppose while I'm here, I should inject my newbie /. request to learn what domain(s) I should unblock for scripting purposes here, so plz feel free to enlighten me on this front.

I also suppose, along my starting sentences with "I" run, that probably everyone reading /. knows about script blocking, but security issues among the mainstream public are seriously problematic (at least in terms of potential attack vectors). It's not a knock against your valid point, but just a reasonably relevant informational nook where people can feel free to discuss it fwiw.

a.fsdn.com , and possibly the XHR from slashdot.org

Re:so once again...

[Snotnose]

Your view is strange given the unfortunate nature of many top sites employing CDNs to pipe out all manner of java frameworks and half the content of their sites and crap. What you are essentially advocating is a nonstarter. NOTHING works without JavaScript today and expecting people to make judgments about validity of specific script files is a complete nonstarter.

After whitelisting sites like /. and my bank I find 90% of the net works just fine. When I go to a site and nothing happens I can at least look at the URL, take into account where the link came from, and decide whether or not I want to let the page run javascript temporarily. Although I don't keep track, I'd guess 90% don't get to run JS. Sites like time.com will likely get it, those like joeswebpage won't.

Re:so once again...

/. actually has a FAQ.

I use NoScript; what should I know?

Whitelisting slashdot.org is necessary for the fancier parts of the site to function. You'll need to whitelist a.fsdn.com too; that's our CDN, and if you block it, many things may break.

Using NoScript or uMatrix or similar you only need to allow scripts from slashdot.org and fsdn.com (specifically a.fsdn.com). Slashdotmedia.com is used for analytics it seems and is not necessary to whitelist for fully operational site use as far as I've seen.

Re:so once again...

[I4ko]

Usenet and IRC work really fine without JavaScript. Native apps (e.g. on mobile) too, though that's another beehive.

Re:so once again...

[I4ko]

Doing it by domains is wrong. That's why hosts don't work, that's why uBlock doesn't work in all cases. You should have a master operator console on the interpreter, inside all that DOM shite, and be able to confirm execution of each script separately, even those that is inline in the original HTML.

But.... browsers are in a disk measuring contest on how fast (convenient) they can load a page, so the average joe (luser) says "Whoa.. this browser is fast".. For fucks sake, there is an idiot at Chrome who disabled certificate revocation checking, because going and fetching CRLs and OCSP and actually making the check costs about 200ms per host that is in the page. The did provide some small CRLs for few big CAs, inside the browser itself, but if you wanted any sort of checking for those they didn't you actually had to go and make changes into chrome://settings/. It might have changed later on, but that was the time I dropped that stupid browser.

It's just time to drop all HTML/web stuff by the side of the road, let the dog piss on it, leave and never look back. But... there are money to be made....

Re:so once again...

[Grishnakh]

just like we expect people to have some basic awareness of geography

Since when do we expect that? Plenty of surveys have found that random Americans can't even point out Texas on a map of the US.

http://news.nationalgeographic...

http://www.salon.com/2007/08/3...

According to this Salon article from 2007, only 94% of young Americans could even find America on a map! That means 6% of our young population can't! And 12% can't figure out where Mexico is! That means, if you go to a place where 18-20 year-old people are common, more than 1 in 10 of them don't even know this extremely basic fact of geography regarding our southern neighbor.

Re:so once again...

[Threni]

Sure, and some people are too lazy to lock their doors and shut their windows, and those people are going to be spending more time on average shopping for replacement phones and TVs. You can't save people from themselves.

Re:so once again...

[locotx]

So if you replace "javascript" with "black person" then I see your point . . .

Re:so once again...

[locotx]

Correct and stupid uninformed people are the ones that are usually are the victims right?

Re:so once again...

[WaffleMonster]

But.... browsers are in a disk measuring contest on how fast (convenient) they can load a page, so the average joe (luser) says "Whoa.. this browser is fast".. For fucks sake, there is an idiot at Chrome who disabled certificate revocation checking, because going and fetching CRLs and OCSP and actually making the check costs about 200ms per host that is in the page. The did provide some small CRLs for few big CAs, inside the browser itself, but if you wanted any sort of checking for those they didn't you actually had to go and make changes into chrome://settings/. It might have changed later on, but that was the time I dropped that stupid browser.

Revocation is a fantasy. Never worked and my guess too few care enough this will ever change. Personally I think the world is on balance better off without it.

- Low probability of any discernible benefit to average user
- Privacy nightmare
- Unnecessary resource consumption and delays
- Single point of failure / DDOS magnet

Re:so once again...

[EvilSS]

... just like we expect people to have some basic awareness of geography or their own health.

Man, you better aim WAY higher than that for your baseline.

Re:so once again...

[I4ko]

Revocation isn't a fantasy. All of the US government will beg to disagree with HSPD-12 and CACs.


You are right about negligible discernible benefit to average users, because the browsers, in their infinite wisdom and dick measuring are shipping root and intermediate CAs trust certificates by the truckload.
You are really wrong about the delay being unnecessary - it is necessary for security, but you are right, the average luser is "gimme, gimme, gimme", even there is a label on something that it is hacked and leaking, they will still install it themselves just for that one entitlement stoking function.
You are doing it wrong if it is single point of failure. There are many ways to do it right, at the expense of couple of more delays and a sane checker. The one built in Windows or the browsers, isn't .

Re:so once again...

[KiloByte]

So here's a compromise: block only third-party domains -- not just javascript, everything (advertising, tracking, etc). With an extension like RequestPolicy, a site that is stored on multiple servers might require an action to be usable, but it's pretty obvious what to allow. And you need to whitelist requests only on the first visit.

Re:so once again...

[bassman2k]

It's not pretty obvious; it's not obvious at all. For example, I just logged in to comment and realized it was time I changed my password.

I use uMatrix and (kind of) know what I'm doing. I ended up allowing all third-party domains temporarily just to change my password. Go take a look yourself at the ridiculous number of domains NOT named slashdot.org that slashdot.org uses.

Re:so once again...

[antdude]

Yeah and there are users who surf go to various web sites often. :(

Re:so once again...

NOTHING works without JavaScript today and expecting people to make judgments about validity of specific script files is a complete nonstarter.

That's a complete lie. The only things that don't work are worthless shit. Stop wasting your time on worthless shit.

Re:so once again...

[spiritwave]

The fsdn.com one worked, thank you.

Re:so once again...

[david_thornley]

Whitelist selected javascript, and disable everything else.

That's getting really hard to do. I used to rely on NoScript for my main defense, and when I wanted to use a site I'd allow the scripts through that came from that domain, and everything worked fairly well. In the last few years, I found that more and more sites are using scripts from somewhere else, with no clear idea of what "somewhere else" means. This means that, to get a site to work, it is necessary to enable script sources more or less randomly until it works. (I figure that my main threat is advertisements, XSS, and other ways to run malicious scripts that are not from the site I'm at. Foolishly or not, I'm willing to take my chances with scripts on the sites themselves.)

What we'd need is for the site to list somehow which script sources it uses, as opposed to whatever is dumped in from elsewhere, and the browser (or plug-in) to block scripts on that basis. Realistically, that would tick off advertisers to the point that it isn't going to happen. People are not going to stop web-surfing because of an abstract threat. I don't have a solution here.

Re:so once again...

[david_thornley]

You mean the 90% of the web that you use, because that isn't the case for lots and lots of sites. When you give the temporary permission, what do you give it to? Everything on the page (which means that time.com is a danger) or the domain of the URL (which breaks quite a few sites nowadays)?

Re:so once again...

joeswebsite is usually not the degenerate pos trying to spy on you/attack you. It's the big, well known, corporate whores that are running all the analytics and the ads that can be hacked to deliver malware.

In other news

I will continue to play my drums and keep my modem unplugged. Go ahead, try hacking me!

New Homeland Security Breakthrough!

Security researchers at KU Leuven have discovered an security technique, dubbed HEIST, which can uncover terrorist plans, child pornography, neckbeard styling tips, and more from HTTPS pages!

Re:New Homeland Security Breakthrough!

which can plant terrorist plans, child pornography, neckbeard styling tips, and more

FTFY

Re:New Homeland Security Breakthrough!

[tehlinux]

Don't give them any ideas!

Re:New Homeland Security Breakthrough!

[AHuxley]

re “The Art of Deception: Training for Online Covert Operations.” https://theintercept.com/2014/...
and injecting all sorts of false material :)

I was going to read this article...

[burhop]

... but the intro made me afraid to click the link.

Still just guess and check

correct guesses result in no appreciable increase in data size while incorrect guesses cause the response to grow larger.

So they still have to brute-force your SSN.

Re: Still just guess and check

Nuh-uh, they only have to bruteforce each number aftzr the other, so they get the SSN number by number, Hollywood style!

honey, get my time machine.

[nimbius]

Slashdots runnin' another story on how 4 year old exploits are still unaccountably dangerous. And this time theres another wild and terrifying exploit called HEIST that, while entirely incapable of decrypting my traffic or interfering with my session, can determine what webserver im using so long as my connection uses http2. This exploit is the scariest thing since we started assigning arbitrary bullshit names to common vulnerabilities to gin up clickthrough revenue on krebs.

Re: honey, get my time machine.

Before you had to man in the middle someone to do this. Now they have to come right up to you... Wow, just wow.

Malicicously. Crafted. Ad.

[Calydor]

Yet another reason to never, NEVER turn off AdBlock, NoScript, Ghostery etc.

Advertisers and site operators, I don't CARE about your precious earnings if they come at a threat to my property.

Re:Malicicously. Crafted. Ad.

This. A thousand times, this.

Most web sites actually work okay with JavaScript disabled (eg via NoScript). For a few you do need to whitelist something -- but it's amazing how freaking many pull in .js from half the freaking internet. No, just...no. (I also see a lot of even legit business sites linking in crap like googletags. Nope, not going to let you have that one either, and usually the site still works for what I need it to do.)

If you've got javascript you need me to run to make your website work (why?) then host it on your own damn site, because I'm not pulling it from some random third party.

Re:Malicicously. Crafted. Ad.

I just installed uMatrix because of this article. It is a very configurable whitelist for web-related scripts, plugins, images, etc.

My web latency just dropped by a factor of two or more.

Re:Malicicously. Crafted. Ad.

[tehlinux]

The internet is shit these days because of ad sponsored content and SEO anyway. Fuck those guys.

Re:Malicicously. Crafted. Ad.

[antdude]

Even if the web site/page doesn't work due to false positives? :(

Re:Malicicously. Crafted. Ad.

[houghi]

I do not even care about THEIR precious earnings if there was no threat to my property.

Re:Malicicously. Crafted. Ad.

ghostery? a closed source blocker made by the ad agencies? try the open source Disconnect instead. All is moot if you're still running windows.

Marketing

If marketing folks fail to properly package and brand an exploit, is it still a threat?

One more on the pile.

[TheCarp]

Once again proven that browsing the web is like going to a diner party in a world where the handshake has been replaced with unprotected anal sex.

Sure, many people you meet may be offended when you insist on a condom (plugins like requestpolicy, and noscript) and say its some right of theirs to not let you sit at their table because of it, or rant on about how they need to get paid....

but at the end of the day.... its basic security. Loading and running code from random third party sites is not safe. It doesn't matter if its inside a restricted environment, its a risk. Its a risk website owners are in the habbit of irresponsibly magnifying for all of their viewers without a second thought

You should protect yourself. Wear condoms unless you really know your partner. Get some here:
https://requestpolicycontinued...

https://noscript.net/

If you have a browser other than firefox, you will need something else, I don't know what they are but, bottom line...protect yourself.

Re:One more on the pile.

Agree with you about all that. The unfortunate bits here are that (1) many browsers do not allow you sufficient capability to protect yourself (because you are the product, not the customer, and it would hurt the customers for the product to protect itself), and (2) Firefox also has plans to remove the low level extension mechanism required to implement fine grained control. XUL is being replaced be something called "WebExtensions", which is similar to what Chrome etc provide. Unfortunately, it is more of a scripting mechanism and will not allow many of the things possible today in Firefox through the lower level XUL interface.

There will still be forks of FF that allow these things, but the ecosystem of security-minded extension builders may be fractured by this, and not every important one will be available to every fork. It could end up being a major problem for people trying to browse the web securely. Also, the modern web is so complex that maintaining a browser with a small team easily means falling behind, with more and more sites not working as the years go by.

We will have to wait and see. Signs are inauspicious, however. The internet is turning from a thing that empowers users, to a thing that empowers advertisers and multinationals.

Re:One more on the pile.

[VorpalRodent]

I'm...I'm interested in both the culture that gives rise to your metaphorical society as well as its outcomes. I'm interested in how you'd position that as an elevator pitch for a movie. I just...I have so many questions right now.

Re:One more on the pile.

[AHuxley]

Ty for requestpolicy :) Installed.

Re:One more on the pile.

Surely you can get these under Chrome? Or are we saying that Firefox is the only secure browser to use?

Re:One more on the pile.

[TheCarp]

Well...just look at the current culture of web browsing and you have your answer. All you really need is a lack of sexual taboo and no awareness of sexually transmitted disease; which is pretty much the case for most web users and what their browsers do.

A man ejaculating in your ass _is_ leaving executable code behind. No different from when your browser blindly loads scripts from any site pointed to. All a virus is, biologically, is a form of automated root kit.

It really is a perfect analogy for every day pc use.

Synopsis

[grmoc]

I'm not a fan of that article summary.

New summary:
It is the same as CRIME, but we're using your browser's performance timing JS API as the man-in-the-middle.

A review:
Stick sensitive info into compressed stuff, and you make that sensitive info less private. If the encryption is zlib-like, then the attacker can guess the information quite quickly-- a good compressor compresses substrings, not just the whole thing.
That means that if you have a SSN in there, the attacker can guess some substrings of your SSN, and the response won't be much bigger.
Guesses that don't share substrings with your SSN will be larger-- the attacker can reject those as bad guesses and not try those substrings again.

With HTTP2's HPACK compressor (only used for info in the headers), this side-channel is eliminated-- only an exact guess of the data will allow this to happen.This is completely unrelated, however, to someone using entity-body compression with HTTP2. If you mix sensitive data with everything else in the compressed-entity body... side channel attacks galore!

A mitigation: Don't put the sensitive data in the same resource as the non-sensitive data, and then don't compress the sensitive data.
HTTP2 makes this cheaper. If sites do this, then these attacks simply do not work any better than the brute-force guessing would.
Ensuring that this happens (no sensitive data compressed) isn't necessarily the most easy thing...

Another obvious one is disable the timing API for 3rd party stuff. This is not as effective theoretically, but it is way easier to deploy and makes these kinds of attacks require an external 3rd party.

Re:Synopsis

[tepples]

A mitigation: Don't put the sensitive data in the same resource as the non-sensitive data

A mitigation separating the template from the data is feasible if JavaScript is enabled, but not for users who block JavaScript by default.

Re:Synopsis

Even without JS it can work just fine.
HTTP2, as an example, makes it cheap to compose a page from multiple resources. At a minimum, you could use iframes. ... so do it!

Re:Synopsis

[Rob+Y.]

How about padding the compressed data with a random length string of random stuff. Wouldn't add much to the payload size, but it'd screw up the ability to manipulate the compression to help you guess the contents.

Re:Synopsis

This increase the cost for the attacker, but they just move into the realm of statistics.
Do everything 100 times, and the randomness kinda cancels out.

HTTP2 actually includes a mechanism for doing precisely this, but it really isn't the best solution.

Re:Synopsis

[complete+loony]

I've mentioned this before when CRIME & BREACH were in the news, the compression used by browsers does support inserting blocks of uncompressed bytes. I'm not saying that it would be easy, but it would be possible to build API's to mark which bytes of the stream are sensitive and should not be compressed.

One more 'sploit where...

... the most noteworthy thing is the craftily cute name.

Please stop attention whoring

[WaffleMonster]

The takeaway we all learned many many years ago compression can be used as a side channel attack and therefore should probably never be used in conjunction with any stream containing sensitive data.

There is no need to invent different names based on where that compression occurs (CRIME, BREACH...etc.) or to assign even more aliases (HEIST) to the same damn thing. Wow you found a new set of metrics to enhance a side channel we all already knew about... so what?

This is one of the things I always hated about Defcon at least in the early days there were all kinds of talks about different ways to exploit this and that when everyone knew they weren't secure in the first place... like the old joke about someone discovering you can mount an unencrypted drive on another operating system and access all your files without knowing the password!!

It often boiled down to nothing more than implementing what everyone understood was possible anyway. Not very useful in my opinion.

At this point in the game anyone with important information to protect still vulnerable to compression attacks should probably do everyone a favor and look for a new line of work. There really isn't a valid excuse at this point.

Re:Please stop attention whoring

[JesseMcDonald]

The takeaway we all learned many many years ago compression can be used as a side channel attack and therefore should probably never be used in conjunction with any stream containing sensitive data.

AFAICT, the vulnerability isn't compression in general, but compressing sensitive data along with data controlled by an attacker. Just compressing the sensitive data by itself won't leak much; it gives away how compressible the data is, of course, but that isn't very much to go on by itself, and the same data would always compress to the same size.

What we need is a structured format where data from different sources can be compressed separately. Classic MVC design, in other words; the sensitive data (the model) should be delivered independent of the view (the presentation of the data, including things like ads). The view should ideally be a static, cacheable resource, and any ads should be as isolated from the rest of the page as if they had been opened in a separate browser instance.

Re:Please stop attention whoring

[WaffleMonster]

AFAICT, the vulnerability isn't compression in general, but compressing sensitive data along with data controlled by an attacker. Just compressing the sensitive data by itself won't leak much

Yes it is compression in general that leaks relationships between length and content. You don't even need to influence channel to benefit from dependency between content and length.

People have for example demonstrated recovery of useful information from encrypted voice communications simply by use of complex codecs without having to compromise encryption or wield any influence on in-band messages.

Obviously the more intermediate data you can collect and the more you can influence channel (often possible in web environments) yields worse real world outcomes yet the root cause is unchanged. compression = information leak.

What we need is a structured format where data from different sources can be compressed separately. Classic MVC design, in other words; the sensitive data (the model) should be delivered independent of the view (the presentation of the data, including things like ads). The view should ideally be a static, cacheable resource, and any ads should be as isolated from the rest of the page as if they had been opened in a separate browser instance.

Not using compression or using secure compression algorithms designed to not leak information would be a far safer option than depending on people not to fuck up.

Re:Please stop attention whoring

[JesseMcDonald]

People have for example demonstrated recovery of useful information from encrypted voice communications simply by use of complex codecs without having to compromise encryption or wield any influence on in-band messages.

That I can believe, but it seems to be more a matter of analyzing the real-time bandwidth (many samples of compressability over time) rather than the overall compressed length. If all you had was a recording of the complete conversation, compressed and then encrypted, I doubt much could be inferred from the length of the ciphertext. There wouldn't be enough entropy in the length to represent more than a few words even if the compression algorithm were specifically designed to encode the content into the length with maximum efficiency. Also, voice communications is massively redundant when you consider the amount of data required to recognizably represent someone's voice compared to the plain information content of the conversation, so an attacker doesn't need to extract much of the original information at all to infer which words were spoken. This analysis probably wouldn't work nearly as well when applied to content other than audio and video streams.

The key point is that the length of the ciphertext only reveals a few bits of information in the worst case. If you give an attacker lots of samples to work with, either of the same message compressed many different ways, as in this SSL attack, or of distinct parts of the same message (e.g. many fixed-duration blocks of audio), it risks giving away enough of the message to be a significant risk. If the data is compressed as a whole in exactly one way, without any input from an attacker, then the most the attacker might be able to get from the change in length due to compression would be log2(uncompressed_length) bits. That isn't a significant risk provided the message has considerably more entropy than the number of bits in the length, which is true for most messages.

Not using compression or using secure compression algorithms designed to not leak information would be a far safer option...

No argument there; of course, a computer which is switched off, unplugged, and buried under six feet of concrete is far more secure than one you can actually use. There are security/usability trade-offs to be considered. Compression saves bandwidth, and thus cost, which makes some uses practical which wouldn't be otherwise. Usability aside, eliminating redundancy in the plaintext before encryption also carries some benefit when it comes to thwarting cryptoanalysis.

Re:Please stop attention whoring

Not using compression at all is not a good idea either, since if the attacker doesn't know much about the content and length, compression actually makes it harder to crack the encryption.
Not to mention that abandoning compression completely will lengthen your page loads, which is undesirable since most of the time compression doesn't hurt you. It's only in cases where the attacker knows or controls the length or part of the content that the trouble arises. Most of the this is not the case, and most of the time the attacker cannot do much with the information, so instead of degrading performance everywhere, we should mitigate the problem for those things where it causes trouble, like logins.

Re:Ghostery & Adblock = inferior vs. hosts

Can I pay my AT&T bill with your hosts file? Because I have to shut off ublock to even get the login screen to come up, because AT&T hosts their ads from the same address.

I'm very disappointed in this artical

I read the title too quickly and throught it would be about a awesome new nuclear SIGINT submarine.

Lesser of two evils

[tepples]

If you've got javascript you need me to run to make your website work (why?)

I agree that for sites presenting only static information, JavaScript ought to be unnecessary. But for browser-based video games, it's the lesser of two evils. Games like Cookie Clicker and Pirates Love Daisies could instead have been written in Flash; would that have been a better choice?

Re:Lesser of two evils

I think you're right and that one can differentiate these things based on reasonable expectations, or the ability to simply explain what's going on.

I took a look at Pirates Love Daisies. If I'm playing a game in the browser then it's understandable that JavaScript is powering the game. So running JavaScript from www.pirateslovedaisies.com is completely expected and acceptable.

They also request a frame from facebook.com which I block, and a script from statcounter.com which I also block. For normal users though, the presence of those may be easily understood and even desired. Some people do like sharing that they're playing a game or reached a certain level or score, and integration with Facebook makes doing so simple.

It should also be common knowledge (I don't think it is, but it's something our youth should be taught in a basic internet/technical literacy class) that it is trivial for website operators to track everything you do on their site, and many of these reasons you as a user may even find acceptable. As a site visitor I can respect and understand a website admin logging access to determine scaling needs, problem users or bots, monitoring data access as feedback after site changes, etc. Some farm parts of this out to third parties (e.g. statcounter, all kinds of analytics companies), which I can understand in terms of delegating work (e.g. Google Analytics providing a nice, inexpensive report when you don't have the technical skills or time to create something similar yourself). However, data is being handed off to third parties, who I may not trust or wish to do business with, so I think being cautious is quite warranted. But I can at least understand why access requests to facebook.com and statcounter.com are being used when playing this game.

Then take a look at Slashdot. slashdot.org and fsdn.com (/.'s CDN) make obvious sense. Then there are:

image from amazonaws.com
image from gstatic.com
script from rpxnow.com
XHR from api.stacksocial.com
scripts from adnxs.com
script from cloudfront.net
script from contextweb.com
scripts from crsspxl.net
script from googletagservices.com
scripts from janrain.com
scripts from lijit.com
script from ntv.io
script from ads.pro-market.net
script from ads.rubiconproject.com
script from analytics.slashdotmedia.com
script from taboola.com
script from truste.com

That seems sketchy and sloppy as hell. Is all that shit really needed to run this site? What (and where) is the explanation for all of that being used?

Requests from some other tech news sites:
Hacker News: ycombinator.com only
Soylent News: soylentnews.org only
Reddit: reddit.com, redditstatic.com, redditmedia.com

I think it's valid to criticize websites that require JavaScript enabled for essentially static content which can be served just fine with HTML5 and CSS. That's mostly amateurs and sloppy developers. It's something else entirely to incorporate a whole bunch of third parties into your site with no explanation, no clear reason, and no specific details about what is being shared with them individually, as well as having those third parties execute scripts in your browser. I would say avoid those sites like the plague, but there is inevitably something that draws people to them in spite of the sketchy decisions behind the scenes. I still enjoy the comments on /., so script and adblockers ahoy.

Re:Lesser of two evils

... it is trivial for website operators to track everything you do on their site, and ... as a user [you] may even find acceptable... Some [site operators] farm parts of this out to third parties... providing a nice, inexpensive report when you don't have the technical skills or time to create something similar yourself. However, data is being handed off to third parties, who I may not trust or wish to do business with, so I think being cautious is quite warranted....
That seems sketchy and sloppy as hell. Is all that shit really needed to run this site? What (and where) is the explanation for all of that being used?

*This*
The argument has been that site operators require users to not block third parties because it stops their revenue stream.
1. Their revenue stream should not be part of my concern as a customer.
2. They can serve ads from their own domain, and I would not be able to block them without blocking the entire site. They have options, but have decided not to use them.
Because site operators *want* to create their income from third party operators, they should blame their third parties for their crappy product that doesn't work well enough, and not blame their users for visiting them.

possible solution

Always use an ad blocker like uBlock Origin and a no script plugin like uMatrix. However, there is still always a possibility this attack might get through anyways. Here is what I found on how to turn off HTTPS compression on Chrome and Firefox.

In Chrome download the modheader extension from:
https://chrome.google.com/webstore/detail/modheader/idgpnmonknjnojddfkpgkljpfnnfcklj?hl=en

Then set a new custom header accept-encoding to an empty value.

In Firefox do the following: Type about:config in the URL bar (Accept the disclaimer). Search for network.http.accept-encoding and double-click on it. Backup (write down) the current value. Delete the value entirely and leave an empty field in its place. Save changes. Restart Firefox.

Note: Some proxies will ignore the empty value and still compress the data. I'm uncertain yet as to a way to permanently disable compression in existing browsers in those situations. It might require the browser be recompiled without the support to be sure.

Uh?

Now, by simply visiting a website owned by a malicious party, you are placing your online security at risk.

As opposed to before, when it was totally safe to visit websites owned by a malicious party?

Re:Easily - edit hosts OR rename it

[tepples]

my program [turns hosts customization on and off] for you via its rightclick tooltray icon popup menu

Analogously to "disable antivirus" controls in the notification area, I assume. That's fine provided you close all other tabs and all other programs that use the Internet before opening the bill payment form. If you have other tabs running in the background, even on a separate browser profile, the setting affects them as well.

it's a rarity when a site hosts their own ads - advertisers don't trust webmasters alleged clickview counts

How do advertisers and webmasters trust ad networks' alleged click/view counts any better? And what stops webmasters from adopting the same means of earning trust as ad networks?

all I see is unjustifiable downmods on my posts

The downmods, as I see them, are on your habit of formatting them in a spammy manner.

Another Overblown Exploit?

[TomGreenhaw]

Anybody who willingly allows external code like ads or third party Javascript solutions should know that they are intentionally injecting potentially malicious code.

WTF's "formatting in a spammy manner?"

See subject: I'm on topic, hosts work here (better than anything else for more speed, security, & reliability for less).

APK

P.S.=> The rest of what you wrote is non-sequitur - ads aren't typically hosted on the same server as a website (MAYBE 1/2 a % tops) so whatever 'point' you tried to make isn't REALITY (what I said is) & yes, you can easily enable/disable hosts as I said solving the problem - it makes me laugh when people here try arguments I've DEFEATED LONG AGO over & over (it's boring for me @ this point)... apk

UBlock = inferior + inefficient vs. hosts

UBlock can't do these as well as (or @ all) hosts do 4 speed, security, & reliability:

1.) Protect vs. bad sites (past ads)
2.) Protect vs. fastflux botnet C&C's
3.) Protect vs. dyndns botnet C&C's
4.) Protect vs. DGA botnet C&C's
5.) Protect vs. downed DNS (reliability)
6.) Protect vs. DNS poisoned dns
7.) Protect vs. trackers
8.) Protect vs. spam payloads
9.) Protect vs. phish payloads
10.) Protect vs. caps
11.) Get past dns blocks
12.) Keep off dns request logs
13.) Speed up 2 ways (adblocks/hardcodes)
14.) Work on anything webbound multiplatform.
15.) Ez data edit
16.) Block ads more efficiently in cpu/ram/I-O use
17.) UBlock now uses hosts (no DNS benefits vs. dns issues) - poor imitation = "sincerest form of flattery"

Hosts = native vs. illogically "Bolting on 'MoAr'" & not ClarityRay blockable like addons.

APK

P.S.=> Hosts (1st resolver) do MORE w/ less in fast kernelmode & before slow usermode addons

Hosts ~3mb vs. UBlock = 64MB -> http://cdn.ghacks.net/wp-conte...

Easily - edit hosts OR rename it

See subject: Either works to disable hosts + my program does it for you via its rightclick tooltray icon popup menu (& it's a rarity when a site hosts their own ads - advertisers don't trust webmasters alleged clickview counts is why - I don't blame them either)

YOU CAN DOWNMOD ME ALL DAY TO HIDE YOUR FAILS LIKE YOU DID LAST TIME I POSTED THIS VALID ANSWER FOOLS https://yro.slashdot.org/comments.pl?sid=9484181&cid=52645601 & IT DOESN'T MATTER - I JUST REPOST IT!

APK

P.S.=> And there you go/voila easy as apple pie - & all I see is unjustifiable downmods on my posts regarding hosts blatant overall HUGE superiority vs. addons on most every level there is... yet NOBODY proves me validly technically wrong on them either (impossible to do - I use verified facts)... apk

Ghostery/Adblock/UBlock = inferior vs. hosts

APK Hosts File Engine 9.0++ SR-4 32/64-bit https://www.google.com/search?...

Ads rob speed, security (malvertising), privacy (tracking).

Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns requestlogs/trackers) natively.

Works vs. caps & PUSH ads.

Avg. page = big as Doom http://www.theregister.co.uk/2... & ads = 40% of it.

Hosts != ClarityRay blockable (vs. souled-out to admen inferior wasteful redundant slow usermode addons)

Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus (slows you) + less security issues/complexity.

Compliments firewalls (blocking less used IP addys vs. hosts blocking more used domains) & DNS (lightens dns load).

Gets data via 10 security sites.

APK

P.S. - Safe https://www.virustotal.com/en/... (Verified by Malwarebytes' S. Burn "seen the code & it's safe" http://forum.hosts-file.net/vi... )

Janrain's role in OpenID Connect

[tepples]

The Janrain one I'm pretty sure is related to Slashdot's role as a relying party for login with OAuth-based identity providers, such as Google, Facebook, and Twitter. I've written elsewhere about how the switch from OpenID 2 to OpenID Connect transformed an O(n) problem into an O(n^2) one. Slashdot can sign up for a separate client key and secret with every single identity provider out there, or it can sign up for a single client key and secret with Janrain.

UBlock = inferior + inefficient vs. hosts

UBlock can't do these as well as (or @ all) hosts do 4 speed, security, & reliability:

1.) Protect vs. bad sites (past ads)
2.) Protect vs. fastflux botnet C&C's
3.) Protect vs. dyndns botnet C&C's
4.) Protect vs. DGA botnet C&C's
5.) Protect vs. downed DNS (reliability)
6.) Protect vs. DNS poisoned dns
7.) Protect vs. trackers
8.) Protect vs. spam payloads
9.) Protect vs. phish payloads
10.) Protect vs. caps
11.) Get past dns blocks
12.) Keep off dns request logs
13.) Speed up 2 ways (adblocks/hardcodes)
14.) Work on anything webbound multiplatform.
15.) Ez data edit
16.) Block ads more efficiently in cpu/ram/I-O use
17.) UBlock now uses hosts (no DNS benefits vs. dns issues) - poor imitation = "sincerest form of flattery"

Hosts = native vs. illogically "Bolting on 'MoAr'" & not ClarityRay blockable like addons.

APK

P.S.=> Hosts (1st resolver) do MORE w/ less in fast kernelmode & before slow usermode addons

Hosts ~3mb vs. UBlock = 64MB -> http://cdn.ghacks.net/wp-conte...

AdBlock = inferior + 'souled-out' vs. hosts

Adblock can't do (or do as well) 16 things hosts do 4 speed, security & reliability:

1.) Protect vs. bad sites (past ads)
2.) Protect vs. fastflux botnet C&C servers
3.) Protect vs. dynamic dns botnet C&C servers
4.) Protect vs. DGA botnet C&C servers
5.) Protect vs. downed DNS (reliability)
6.) Protect vs. DNS redirect poisoned/downed dns
7.) Protect vs. trackers
8.) Protect vs. spam payloads
9.) Protect vs. phish payloads
10.) Protect vs. caps
11.) Get past dns blocks
12.) Keep off dns request logs
13.) Speed up 2 ways (adblocks & hardcodes)
14.) Work on anything webbound multiplatform.
15.) Ez data edit
16.) Block ads more efficiently in cpu/ram/I-O us

* ANSWER ="NO"

APK

P.S.=> Ab+ does less vs. hosts less efficiently (a 128-151mb memory hog http://cdn.ghacks.net/wp-conte...)

ClarityRay defeats it

Ab+'s bribed not to work by default http://www.businessinsider.com...

AdBlock's SLOWER: http://superuser.com/questions...

Ghostery = 'souled-out' & inferior vs. hosts

Can ghostery do 16 things hosts do for speed, security, & reliability:

1.) Protect vs. malicious sites (past ads)
2.) Protect vs. fastflux botnet C&C's
3.) Protect vs. dynamic dns botnet C&C's
4.) Protect vs. DGA botnet C&C'ss
5.) Protect vs. downed DNS (reliability)
6.) Protect vs. DNS redirect poisoned/downed dns
7.) Protect vs. trackers
8.) Protect vs. spam payloads
9.) Protect vs. phish payloads
10.) Protect vs. caps
11.) Get past dns blocks
12.) Keep off dns request logs
13.) Speed up 2 ways (adblocks & hardcodes)
14.) Work on anything webbound multiplatform.
15.) Ez data edit
16.) Block ads more efficiently in cpu/ram/I-O use

* ANSWER ="NO" OR as well vs. hosts (natively vs. illogically inefficiently "Bolting on 'MoAr'").

APK

P.S.=> Addons do less vs. hosts & less efficiently - hosts do MORE w/ less + start w/ IP stack before REDUNDANT inefficient addons BEGIN to work!

Ghostery (Advertiser owned) "Fox guards henhouse" -> http://en.wikipedia.org/wiki/G...

Well That's Not Good

I mean really? HTTPS enables an exploit?

What's next, a clean diesel engine that uber-pollutes the air? Oh right...

Malicious websites are dangerous... news at 11

As opposed to previous vulnerabilities, this one is different because:

"visiting a website owned by a malicious party, you are placing your online security at risk" ...and this is news?

Best adblocker & more vs. online threats

APK Hosts File Engine 9.0++ SR-4 32/64-bit https://www.google.com/search?...

Ads rob speed, security (malvertising), privacy (tracking).

Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns requestlogs/trackers) natively.

Works vs. caps & PUSH ads.

Avg. page = big as Doom http://www.theregister.co.uk/2... & ads = 40% of it.

Hosts != ClarityRay blockable (vs. souled-out to admen inferior wasteful redundant slow usermode addons)

Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus (slows you) + less security issues/complexity.

Compliments firewalls (blocking less used IP addys vs. hosts blocking more used domains) & DNS (lightens dns load).

Gets data via 10 security sites.

APK

P.S. - Safe https://www.virustotal.com/en/... (Verified by Malwarebytes' S. Burn "seen the code & it's safe" http://forum.hosts-file.net/vi... )

Funny hosts work for ME... apk

See subject: ... & I post here ALL day long (even past typical AC limits) + yes, a.fsdn.com? Don't block it in hosts for /. (simple).

APK

P.S.=> For the BEST possible custom hosts file for more speed, security, reliability & anonymity? Well, you know-> APK Hosts File Engine 9.0++ SR-4 32/64-bit https://yro.slashdot.org/comme... ... apk

New Attack Steals SSNs

[fox171171]

Nuclear powered attack submarines have been stolen? Oh my.

Re:New Attack Steals SSNs

Greetz, shipmate. -PCP

Re:Ghostery = 'souled-out' & inferior vs. host

[Calydor]

I get this odd feeling that these posts are from a bot responding to the presence of words like

AdBlock

so let's see what happens now.

We already saw what happened... apk

See subject: You did a "Run, Forrest https://yro.slashdot.org/comme... RUN!!! https://yro.slashdot.org/comme... vs. the facts in those 2 posts' lists that extoll hosts SUPERIORITY (by miles on most every grounds there is) over INFERIOR bloated redundant crippled by default souled-out to advertiser addons...

* That & a TRUCKLOAD of doubtless sockpuppet downmods on my posts (which I BLOW BY easily & exhaust of modpoints, every SINGLE time, lmao!)

APK

P.S.=> That's all ANYONE has to see OR know, lol... apk

Re:We already saw what happened... apk

[eaglesrule]

Experimentation: Ublock application and presentation, while Ghostery session transport. Adblock network datalink physical, fuck hosts file.

1 hosts file does more for less than all 3

See subject: Adblock fails https://yro.slashdot.org/comme... UBlock fails https://yro.slashdot.org/comme... Ghostery fails https://yro.slashdot.org/comme...

* Thus YOU FAIL TOO for suggesting such slower USERMODE (vs. hosts in faster kernelmode) messagepassing overheads ridden BLOATED redundant ineffective "so-called 'solutions'" that are 'souled-out' to advertisers NOT DOING THEIR JOB anymore by default & on their BEST DAY they can't do a FRACTION of what hosts do for less...

APK

P.S.=> Hosts does MORE than all 3 COMBINED for far, Far, FAR LESS more efficiently for more speed, security, reliability & anonymity online... apk