The HTTPS protection scheme, which until now was considered the last word in website security, is apparently not really infallible. A breed of attack has re-emerged that has the capability of exposing data stored in encrypted e-mail addresses, social security numbers — without even needing to resort to monitoring the target user’s Internet connection.
The security of data has been one of our greatest concerns in this data driven age. The question of security acquires even greater significance when the data is at its most vulnerable state, or in other words, when it is being transferred over computer networks. HTTPS is a protocol for securing communication between computer networks which today, is deployed by millions of websites across the world.
The system was originally meant for payments made on the World Wide Web, e-mail and for other sensitive transactions in corporate information systems. However, near the beginning of this decade, the system gained popularity as the medium of choice for protection of all websites. It was thought to be pretty infallible too — until now.
A brand new exploit that has been discovered can apparently make its way past all the security measure without even needing a man-in-the-middle position. Named as the HEIST technique — HTTP Encrypted Information can be Stolen Through TCP-Windows — the method rings more than a few alarm bells for the internet.
All it takes from a user’s perspective is a click on a advertisement which contains some malicious code. Once the user does that, the code can then query pages protected by the secure sockets layer or transport layer security protocols (SSL or TLSP) and measure the size of the encrypted data being transmitted. Now in case you are being smug and saying “What damage can a hacker possibly do by measuring the size of the encrypted data?” Well, a lot as it turns out.
If the size of the transmitted packets of data is known, attackers can deploy either of the CRIME or the BREACH method to decrypt the encrypted data. it does so by manipulating the file compression that site uses. The same compression that is able to make webpages load more quickly.
Speaking to Arstechnica, Tom Van Goethem, part of the team which actually devised the technique, said,
HEIST makes a number of attacks much easier to execute. Before, the attacker needed to be in a Man-in-the-Middle position to perform attacks such as CRIME and BREACH. Now, by simply visiting a website owned by a malicious party, you are placing your online security at risk.
The data that can be decrypted includes e-mail addresses, social security numbers and so on and so forth.