A recent research paper shows an unexpected attack on the HTTPS protocol.  An attack that can succeed, easily.

This is an attack that has been known by Microsoft researchers for two years – clearly these are people who know how to keep a secret!  During those two years, they have been in discussion with all major browser developers in order to address the identified issues.

The research paper is available here.  Quoting from the paper: "This work was finished in July 2007, except for the paper writing and the vulnerability testing on the Google Chrome browser released in beta in Sept. 2008. The paper submission has been withheld until this conference."  The conference mentioned being IEEE S&P '09.

The paper describes five major categories of vulnerability, four of which can reasonably described as being the domain of the browser.  At the time of publishing, the two obvious issues have been addressed by all major browsers, however, of the others, few browser teams have done more than acknowledge the problems.

The final vulnerability, based on the theft of authentication cookies is generally considered to be outside the domain of browsers and thus must be addressed at the website level.  

So, what exactly is the attack?  Read on…