Jump to content

HTTPS Exploit showcased at BlackHat

Crion
By Crion
in Tech News
 Share
Posted

Happened last week but no one posted anything about it.  

 

Basically, the gist of it is that this attack can extract things like social security numbers, usernames, email-addresses, and passwords from HTTPS encrypted streams regardless of the cipher used by exploiting the compression algorithms used by almost every web server.  It doesn't completely decrypt the stream, but it can expose enough information where it doesn't matter.

 

My take, we've known that SSL is in dire need of a massive update on how it works or a complete replacement for a long time.  More exploits like this just hasten its death.  

 

Source: http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/

Source: https://media.blackhat.com/us-13/US-13-Prado-SSL-Gone-in-30-seconds-A-BREACH-beyond-CRIME-WP.pdf

 

 

Current Rig
AMD Ryzen 5900X - Asus ROG Strix X570-E Gaming WiFi 2 - 32 GB GSkill TridentZ RGB
GeForce RTX 3080 - WD Black SN850 1TB  - Lian Li O11 Dynamic XL

Link to comment
https://linustechtips.com/topic/44078-https-exploit-showcased-at-blackhat/
Share on other sites
Link to post
Share on other sites
Posted

@LinusTech @Slick @Windspeed36

 

 

CLOSE THE GATES!!!

Andres "Bluejay" Alejandro Montefusco - The Forums Favorite Bird!!!

Top Clock: 7.889 Ghz Cooled by: Liquid Helium   

#ChocolateRAM #OatmealFans #ScratchItHarder #WorstcardBestoverclocker #CrazySexStories #SchnitzelQuest TS3 SERVER

Link to post
Share on other sites
Posted

Guess HTTPS needs to be updated now since there are exploits in it that can affect people.

Hello and Welcome to LTT Forum!


If you are a new member, please read the rules located in "Forum News and Info". Thanks!  :)


Linus Tech Tips Forum Code of Conduct           FAQ           Privacy Policy & Legal Disclaimer

Link to post
Share on other sites
Posted

Guess HTTPS needs to be updated now since there are exploits in it that can affect people.

You mean now that people know there are exploits that could affect them. It's not like they magically appeared. These exploits existed before they were revealed much like how crossfire issues existed before frame capturing tech proved it:D

Link to post
Share on other sites
Posted
  • Author

Guess HTTPS needs to be updated now since there are exploits in it that can affect people.

 

Security researchers have been advocating for SSL to be replaced for years.  Man-in-the-middle attacks are the most common way of exploiting SSL and the only safeguard against them are a system of trust we call the Certificate Authority system which is completely exploitable.  If you doubt it, ask Comodo (had a root CA stolen) or DigiCert (also had a root CA stolen).

Current Rig
AMD Ryzen 5900X - Asus ROG Strix X570-E Gaming WiFi 2 - 32 GB GSkill TridentZ RGB
GeForce RTX 3080 - WD Black SN850 1TB  - Lian Li O11 Dynamic XL

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Tech News

×