HTTPS Exploit Can Steal Your Secure Data – Black Hat 2016

IT security is top of mind for many enterprises these days. And with the announcements coming out of the Black Hat Conference that won’t be changing anytime soon.

On Wednesday, August 3rd at the Black Hat 2016 conference in Las Vegas there was an eye opening demonstration on the need for updated Internet security protocols. At a briefing entitled “HEIST: HTTP Encrypted Information Can be Stolen Through TCP-Windows”, researchers Mathy Vanhoef and Tom Van Goethem demonstrated a set of techniques that would allow hackers to listen in on secured traffic directly, without the need for an intervening network.

Used to transfer information over
HTTPS Exploitthe Internet, HTTP is the foundational protocol that enables communication over the Web. HTTPS uses this protocol combined with Transport Layer Security (TLS), or its predecessor, Secure Sockets Layer (SSL), to provide secure communication over the Internet. Using HTTPS authenticates the connection between a user’s browser and a web server to protect private information that is passed between the two.

One of the purposes of using HTTPS is to prevent a man-in-the-middle atttack – an attack in which a hacker impersonates each of the end points in the communication. The user’s web browser thinks it is speaking directly to the web server, and visa versa, while the messages are actually being passed through a third party. Because of the end to end authentication with HTTPS it is difficult to impersonate or even eavesdrop on the data being passed back and forth.

With the newly discovered HEIST technique, a man-in-the-middle attack is no longer needed. In fact, as described in detail in this article on Ars Technica, the user only needs to “encounter an innocuous-looking JavaScript file hidden in an Web advertisement or hosted directly on a webpage”. This code can then be used to find out information about the file sizes transmitted from TLS or SSL secured pages and use that information, combined with another attack, to tease your information out of the HTTPS encrypted responses. These could even be small pieces of data with a big impact – like your email address or social security number.

Once HEIST has the files size, it partners with other exploits to use HTTPS’s security measures against itself. You see, most websites use compression in their responses by not repeating text strings within the data. Exploits like BREACH, being discussed on Thursday at the Black Hat conference, use this information to play an intelligent game of true or false. The exploit guesses part of the string, and if it’s right, the response doesn’t grow in size. Instead, the repeated strings are removed by the compression. If it’s wrong, the compression can’t eliminate the string, and the response grows. And now, thanks to HEIST, the exploit knows the file size of the data.

The good news is that a number of tools are being released this week to help teams assess their vulnerability to BREACH. The bad news is that the only way known, at the moment, to mitigate HEIST is to turn off 3rd party cookies. These are on by default in most browsers and will cause a number of online services not to work.

Expect to see recommended changes to your applications to reduce the potential risk associated with these issues and even changes to best practices on how sensitive data is exchanged in Web response messages. With no blanket fixes, these exploits will take time and resources to mitigate and new policies outlining how you’ll handle data going forward. But ignoring the changes could be devastating for businesses and their customers.