New VORACLE Attack Can Recover HTTP Data From Some VPN Connections

"A new attack named VORACLE can recover HTTP traffic sent via encrypted VPN connections under certain conditions," reports Bleeping Computer, citing research presented last week at the Black Hat and DEF CON security conferences. An anonymous reader writes: The conditions are that the VPN service/client uses the OpenVPN protocol and that the VPN app compresses the HTTP traffic before it encrypts it using TLS. To make matters worse, the OpenVPN protocol compresses all data by default before sending it via the VPN tunnel. At least one VPN provider, TunnelBear, has now updated its client to turn off the compression. [UPDATE: ExpressVPN has since also disabled compression to prevent VORACLE attacks.]

HTTPS traffic is safe, and only HTTP data sent via the VPN under these conditions can be recovered. Users can also stay safe by switching to another VPN protocol if their VPN client suppports multiple tunneling technologies.
In response to the security researcher's report, the OpenVPN project "has decided to add a more explicit warning in its documentation regarding the dangers of using pre-encryption compression."

This suggests a serious weakness.

[BitterOak]

A good encryption algorithm should be able to protect any data, regardless of whether or not it is compressed. If compressing data before encryption renders the encryption algorithm insecure, I would suggest the algorithm was weak to begin with. Perhaps better, newer algorithms are needed. I'd be wary of a solution that just says "turn off compression and you'll be fine."

Re:Not particularly worried here

[lsllll]

All the attacker needs is to be able to inject something into the communication stream, pre-compression, and be able to monitor the length of the packets being sent back and forth. Over time, given that the same information is being sent over and over (think cookies), the attacker can then brute force the contents.