Slashdot Mirror
New Attack Steals SSNs, E-mail Addresses, and More From HTTPS Pages (arstechnica.com)
Security researchers at KU Leuven have discovered an attack technique, dubbed HEIST (HTTP Encrypted Information can be Stolen Through TCP-Windows), which can exploit an encrypted website using only a JavaScript file hidden in a maliciously crafted ad or page. ArsTechnica reports: Once attackers know the size of an encrypted response, they are free to use one of two previously devised exploits to ferret out the plaintext contained inside it. Both the BREACH and the CRIME exploits are able to decrypt payloads by manipulating the file compression that sites use to make pages load more quickly. HEIST will be demonstrated for the first time on Wednesday at the Black Hat security conference in Las Vegas. "HEIST makes a number of attacks much easier to execute," Tom Van Goethem, one of the researchers who devised the technique, told Ars. "Before, the attacker needed to be in a Man-in-the-Middle position to perform attacks such as CRIME and BREACH. Now, by simply visiting a website owned by a malicious party, you are placing your online security at risk." Using HEIST in combination with BREACH allows attackers to pluck out and decrypt e-mail addresses, social security numbers, and other small pieces of data included in an encrypted response. BREACH achieves this feat by including intelligent guesses -- say, @gmail.com, in the case of an e-mail address -- in an HTTPS request that gets echoed in the response. Because the compression used by just about every website works by eliminating repetitions of text strings, correct guesses result in no appreciable increase in data size while incorrect guesses cause the response to grow larger.
using only a JavaScript file hidden in a maliciously crafted ad or page
So we learn for the 1940390155th time that if you let a remote site run arbitrary scripts on your machine, that remote site might do things that are not in your best interest. Surprise surprise.
Look: we get a constant stream of these things, at least one or two per week, literally for over 10 years. They're all the same. "Run javascript, get pwned". If you care AT ALL about security, you need to block javascript by default and white-list a few sites you care about, like your bank.
If you are still running javascript by default, in 2016, that's on you. You've had over a decade to learn your lesson. This is like someone walking through the worst part of town at 3am flashing jewels and expensive watches. Then they get mugged. Is it the muggers fault? Yeah, of course it is. But the person doing this is still a bloody idiot, especially after it happens for the 10th time, and then the 20th, and the 50th, and the 100th. Eventually, they need to learn from experience.
Whitelist selected javascript, and disable everything else. It's time. It was a bad idea just like ActiveX was. The internet is not your friend. Random domains are not trustworthy. Stop letting them run code in your browser. Ignorance stops being a reasonable excuse after endless repetitions of "See this incredible new exploit(*)! (*) that requires you let the attacker run code on your computer."
... but the intro made me afraid to click the link.
Yet another reason to never, NEVER turn off AdBlock, NoScript, Ghostery etc.
Advertisers and site operators, I don't CARE about your precious earnings if they come at a threat to my property.
-=This sig has nothing to do with my comment. Move along now=-
Once again proven that browsing the web is like going to a diner party in a world where the handshake has been replaced with unprotected anal sex.
Sure, many people you meet may be offended when you insist on a condom (plugins like requestpolicy, and noscript) and say its some right of theirs to not let you sit at their table because of it, or rant on about how they need to get paid....
but at the end of the day.... its basic security. Loading and running code from random third party sites is not safe. It doesn't matter if its inside a restricted environment, its a risk. Its a risk website owners are in the habbit of irresponsibly magnifying for all of their viewers without a second thought
You should protect yourself. Wear condoms unless you really know your partner. Get some here:
https://requestpolicycontinued...
https://noscript.net/
If you have a browser other than firefox, you will need something else, I don't know what they are but, bottom line...protect yourself.
"I opened my eyes, and everything went dark again"
I'm not a fan of that article summary.
New summary:
It is the same as CRIME, but we're using your browser's performance timing JS API as the man-in-the-middle.
A review:
Stick sensitive info into compressed stuff, and you make that sensitive info less private. If the encryption is zlib-like, then the attacker can guess the information quite quickly-- a good compressor compresses substrings, not just the whole thing.
That means that if you have a SSN in there, the attacker can guess some substrings of your SSN, and the response won't be much bigger.
Guesses that don't share substrings with your SSN will be larger-- the attacker can reject those as bad guesses and not try those substrings again.
With HTTP2's HPACK compressor (only used for info in the headers), this side-channel is eliminated-- only an exact guess of the data will allow this to happen.This is completely unrelated, however, to someone using entity-body compression with HTTP2. If you mix sensitive data with everything else in the compressed-entity body... side channel attacks galore!
A mitigation: Don't put the sensitive data in the same resource as the non-sensitive data, and then don't compress the sensitive data.
HTTP2 makes this cheaper. If sites do this, then these attacks simply do not work any better than the brute-force guessing would.
Ensuring that this happens (no sensitive data compressed) isn't necessarily the most easy thing...
Another obvious one is disable the timing API for 3rd party stuff. This is not as effective theoretically, but it is way easier to deploy and makes these kinds of attacks require an external 3rd party.
The takeaway we all learned many many years ago compression can be used as a side channel attack and therefore should probably never be used in conjunction with any stream containing sensitive data.
There is no need to invent different names based on where that compression occurs (CRIME, BREACH...etc.) or to assign even more aliases (HEIST) to the same damn thing. Wow you found a new set of metrics to enhance a side channel we all already knew about... so what?
This is one of the things I always hated about Defcon at least in the early days there were all kinds of talks about different ways to exploit this and that when everyone knew they weren't secure in the first place... like the old joke about someone discovering you can mount an unencrypted drive on another operating system and access all your files without knowing the password!!
It often boiled down to nothing more than implementing what everyone understood was possible anyway. Not very useful in my opinion.
At this point in the game anyone with important information to protect still vulnerable to compression attacks should probably do everyone a favor and look for a new line of work. There really isn't a valid excuse at this point.