August 13, 2013

TIME and again: an SSL breach before BREACH

Img_https_failLast week at Black Hat 2013, one of the briefings that garnered a lot of attention was ‘SSL, GONE IN 30 SECONDS – A BREACH BEYOND CRIME.’. The briefing detailed an extension of 2012’s CRIME attack.  While the original CRIME attack targeted a compression information leakage vulnerability in order to expose secrets contained in compressed and encrypted HTTP requests, the new BREACH attack exposed secrets in HTTP responses.  The briefing and accompanying paper successfully explain a complex subject that involves different domains (compression, encryption, web protocols, etc.) in a very clear way.

At Black Hat Europe earlier this year, I presented on a similar topic. The briefing, called “A PERFECT CRIME? ONLY TIME WILL TELL,“ discusses this extension of the CRIME attack as well as some timing based attacks on SSL. The abstract includes some specific mentions on “the relevancy of compression ratio information leakage for HTTP responses,” which is discussed in detail in the publicly available white paper .

Our work did not stop at applying the CRIME attack to responses. Digging deeper, we were able to determine that the compression vulnerability can be exploited even if the attacker does not have any eavesdropping capability, by using timing inference.

This is one of the reasons why conferences like Black Hat is so important. We have been in touch with the authors of the BREACH paper, who have added a note about it in their website and will mention our work in their paper. We hope that the renewed interest in the attack will motivate browser’ and server vendors to find a solution for it, including the grave, additional timing issues which our TIME attack had exposed.

For more information, follow these links:

Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.