David Heath
Tuesday, 11 August 2009 20:27
Business IT -
Security
Page 1 of 2
A recent research paper shows an unexpected attack on the HTTPS protocol. An attack that can succeed, easily.
This is an attack that has been known by Microsoft researchers for two years – clearly these are people who know how to keep a secret! During those two years, they have been in discussion with all major browser developers in order to address the identified issues.
What does it mean? Essentially, the padlock on the browser can easily be picked, and without a patched browser, you'd never know.
The good news? Most browsers have fixed the problem.
The bad news? The researchers are quite sure that there is more to the general category of attack than they have identified to date.
The research paper is available
here. Quoting from the paper: "This work was finished in July 2007, except for the paper writing and the vulnerability testing on the Google Chrome browser released in beta in Sept. 2008. The paper submission has been withheld until this conference." The conference mentioned being IEEE S&P '09.
The paper describes five major categories of vulnerability, four of which can reasonably described as being the domain of the browser. At the time of publishing, the two obvious issues have been addressed by all major browsers, however, of the others, few browser teams have done more than acknowledge the problems.
The final vulnerability, based on the theft of authentication cookies is generally considered to be outside the domain of browsers and thus must be addressed at the website level.
So, what exactly is the attack? Read on…
LATEST HEADLINES FROM YOUR IT
