A NEW ATTACK allows network operators, including anyone who owns a WiFi hotspot, to snoop on people's browsing habits and see any webpage they visit.
Fortunately, readers of the INQUIRER look at nothing more incriminating than the latest, hottest tech news, but other, less noble, netizens will no doubt be quaking in their onesies about now.
The attack works by bypassing the HTTPS encryption which is supposed to prevent this happening. HTTPS would normally prevent the operator seeing the URLs visited by users, but a new technique abuses Web Proxy Autodiscovery and exposes browser requests to any code the network owner wants to fling at it.
Itzik Kotler, CTO and co-founder, and Amit Klein, VP of security research, at security firm SafeBreach will demonstrate how the attack works at next week's Black Hat conference in a talk entitled Crippling HTTPS with Unholy PAC.
"We will demonstrate that, by forcing your browser/system to use a malicious PAC (Proxy AutoConfiguration) resource, it is possible to leak HTTPS URLs," the pair wrote on the Black Hat site.
"We will explain how this affects the privacy of the user and how credentials/sessions can be stolen. We will present the concept of 'PAC malware' (a malware which is implemented only as JavaScript logic in a PAC resource) that features a two-way communication channel between the PAC malware and an external server, contextual phishing via messages, denial-of-service options, and sensitive data extraction from URLs.
"We present a comprehensive browser PAC feature matrix and elaborate more about this cross-platform (Linux, Windows, Mac) and cross-browser (IE, Chrome, Safari) threat."
This isn't the first time that the HTTPS protocol has allegedly been cracked. Documents released by whistleblower Edward Snowden showed that the US National Security Agency has been at it for years by exploiting certain variations of the Diffie-Hellman key exchange algorithm, a common way to exchange cryptographic keys over untrusted channels.
A story emerged earlier this year suggesting that internet users could bypass ISP blocks on torrent sharing and other media streaming sites of dubious legality simply by adding an 's' to the end of 'http' in the address.
So HTTPS is still good for something, then. SB
"We present a comprehensive browser PAC feature matrix and elaborate more about this cross-platform (Linux, Windows, Mac) and cross-browser (IE, Chrome, Safari) threat."
This isn't the first time that the HTTPS protocol has allegedly been cracked. Documents released by whistleblower Edward Snowden showed that the US National Security Agency has been at it for years by exploiting certain variations of the Diffie-Hellman key exchange algorithm, a common way to exchange cryptographic keys over untrusted channels.
A story emerged earlier this year suggesting that internet users could bypass ISP blocks on torrent sharing and other media streaming sites of dubious legality simply by adding an 's' to the end of 'http' in the address.
So HTTPS is still good for something, then. SB
0 comments: