[cabfpub] A BREACH beyond CRIME :-(

Phillip Hallam-Baker philliph at comodo.com
Tue Jul 2 14:02:22 UTC 2013


These SSL attacks are getting silly. Use of bearer tokens is not a viable authentication approach when an attacker can mount an adaptive chosen plaintext attack.

I wrote the following in response to CRIME:

http://www.ietf.org/id/draft-hallambaker-httpsession-01.txt


The basic idea is that instead of passing authentication cookies over the wire repeatedly, the secret is passed ONCE and after that the parties only exchange knowledge of the token. It has been submitted to the WebSec working group but nobody has commented to date. I was waiting for BlackHat





On May 29, 2013, at 10:07 AM, Rob Stradling <rob.stradling at comodo.com> wrote:

> https://www.blackhat.com/us-13/briefings.html#Prado
> 
> "SSL, GONE IN 30 SECONDS - A BREACH BEYOND CRIME
> In this hands-on talk, we will introduce new targeted techniques and 
> research that allows an attacker to reliably retrieve encrypted secrets 
> (session identifiers, CSRF tokens, OAuth tokens, email addresses, 
> ViewState hidden fields, etc.) from an HTTPS channel. We will 
> demonstrate this new browser vector is real and practical by executing a 
> PoC against a major enterprise product in under 30 seconds. We will 
> describe the algorithm behind the attack, how the usage of basic 
> statistical analysis can be applied to extract data from dynamic pages, 
> as well as practical mitigations you can implement today. We will also 
> describe the posture of different SaaS vendors vis-à-vis this attack. 
> Finally, to provide the community with ability to build on our research, 
> determine levels of exposure, and deploy appropriate protection, we will 
> release the BREACH tool."
> 
> -- 
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130702/6474bf8d/attachment-0003.html>


More information about the Public mailing list