New VORACLE Attack Can Recover HTTP Data From Some VPN Connections

"A new attack named VORACLE can recover HTTP traffic sent via encrypted VPN connections under certain conditions," reports Bleeping Computer, citing research presented last week at the Black Hat and DEF CON security conferences. An anonymous reader writes: The conditions are that the VPN service/client uses the OpenVPN protocol and that the VPN app compresses the HTTP traffic before it encrypts it using TLS. To make matters worse, the OpenVPN protocol compresses all data by default before sending it via the VPN tunnel. At least one VPN provider, TunnelBear, has now updated its client to turn off the compression. [UPDATE: ExpressVPN has since also disabled compression to prevent VORACLE attacks.]

HTTPS traffic is safe, and only HTTP data sent via the VPN under these conditions can be recovered. Users can also stay safe by switching to another VPN protocol if their VPN client suppports multiple tunneling technologies.
In response to the security researcher's report, the OpenVPN project "has decided to add a more explicit warning in its documentation regarding the dangers of using pre-encryption compression."

Re:This suggests a serious weakness.

[chill]

You're not understanding the attack. It isn't an attack on the encryption itself, but rather taking advantage of the fact that compression happens first and being able to inject some data. By injecting some data that is then compressed, and observing the change in resultant size, they can infer certain things about the encrypted payload.

For example, if the plain text is "AAAABCDEF" a simple compression tool would turn that into "4ABCDEF" before encrypting. The size changed from 9 bytes to 7.

If you can inject AAA and make it "AAAAAAABCDEF" which then compresses to "7ABCDEF", the size of the resulting encrypted string goes from 12 to 7.

Both the 7 byte streams are perfectly encrypted, but I could now infer that multiple As are part of the plaintext.

Yes, this takes the ability to inject data, hence luring to a compromised site. Yes, it takes a LOT of packets to do this, and it really only works on things like web cookies, which are 4K maximum and much smaller in practice.

But is has nothing to do with the quality of the encryption algorithm.

Re:This suggests a serious weakness.

[DarkOx]

What you don't understand is that you just described virtually every web page. This is essentially the same attacks that worked on SSL3.0 and TLS1.0 when compression was enabled.

The reason it works is that the attacker has access to 99% (roughly) of the plain text. Lets say I want to discover you bank routing number on a web page. As the attacker I register myself and discover the size and all the non-dynamic content on the page. I can inject my own content say a short string of numeric characters and compress the data. I can than observe the change in size.

Now if I am observing your network traffic and I know what site your pulling say based on the IP address. I can sit and look at the transfer size. When I see a server response the same size as one of my candidate compression tests; I now know at least one possible value for the dynamic content.

Its not a problem with the encryption algorithm. The message would not be recoverable unless I already knew almost all of it. Without thousands of cipher texts I can even begin to work out the change content. TLS address this by padding the responses with a little random length data.The trouble is the plain protocol has no padding and the VPN does not either. This can be fixed easily but its going to have a negative performance impact.