As if we didn’t have enough security concerns at the moment, here comes another one to make the situation worse. HTTPS, long the staple of website logins, is now said to be vulnerable to a new Department of Homeland Security debuted vulnerability, that allows those using it to potentially steal plaintext information from an HTTPS stream.
Unveiled last Thursday at the Black Hat conference in Las Vegas by Salesforce.com, the attack is described (by InformationWeek) as a, ” man in the middle HTTPS crypto attack,” that is launched by watching the size of the “cipher text received by the browser, while triggering a number of strategically crafted requests to a target site.”
It’s still somewhat archaic in that the sender has to have some idea of what the correct information might be. When they strike lucky, the HTTPS response will be smaller and therefore let on that they’ve guessed correctly. It apparently takes around 4,000 requests usually, but then again, they can be completed in around 30 seconds.
The response from the security community has been to suggest a fix for the HTTPS protocol, but it won’t be easy. The only upside of the whole thing is that the hack needs to be triggered on a site by site basis, so it can’t be applied to a large number at a time. Hackers would also need to be able to passively monitor the target’s internet traffic, which would potentially mean they need to be on the same local network – which is unlikely in a lot of cases.
KitGuru Says: Hopefully that means the HTTPS is relatively safe for now, but as usual, take basic steps to keep your data secure. Use unique, complicated passwords for everything you do online.