The Government has offered Australia's three mobile operators, and vividwireless, renewal of their existing spectrum allocated on 15 year licences in the late 90s and early 2000s at set prices, while the Government expects to rake in $3 billion.
The attack is based on an abstracted adversary called "Pretty bad Proxy" (PBP). This is defined in the context of the kinds of threats that the HTTPS protocol should cope with. And in this case, doesn't.
Quoting again from the paper: "PBP is a malicious proxy targeting browsers' rendering modules above the HTTP/HTTPS layer. It attempts to break the end-to-end security guarantees of HTTPS without breaking any cryptographic scheme. We discovered a set of vulnerabilities exploitable by a PBP: in many realistic network environments where attackers can sniff the browser traffic, they can steal sensitive data from an HTTPS server, fake an HTTPS page and impersonate an authenticated user to access an HTTPS server. These vulnerabilities reflect the neglects in the design of modern browsers – they affect all major browsers and a large number of websites."
"The adversary model of HTTPS is simple and clear: the network is completely owned by the adversary, meaning that no network device on the network is assumed trustworthy. The protocol is rigorously designed, implemented and validated using this adversary model. If HTTPS is not robust against this adversary, it is broken by definition."
In short, the Pretty Bad Proxy is able to execute a man-in-the-middle attack at upper-layer protocols and thereby indirectly compromising the HTTPS protocols; specifically it "targets the browser's rendering modules above the HTTP/HTTPS layer in order to break the end-to-end security of HTTPS."
Let's make this simple. A potential attacker waits for the browser to decrypt the traffic before stepping in and grabbing it. Obviously defending against this is tricky, hence the fact that only some of the potential attack vectors have been dealt with.
Worse, other as-yet unidentified attacks may-well be possible. This is also OS-independent. Fun times ahead.
David Bass
| ComOps, a leading Australian provider of business software products and services, has won a competitive tender to deploy its Salvus safety, r…
How to Make Business Discovery Work for Your Business
Business Discovery takes its cues from consumer apps. Like Google, it encourages us- ers to hunt for and explore data without worrying about or even noticing the underly- ing technology. Their entire experience is working within an intuitive interface to get real-time, self-service results with only minimal training. ...more
Try an easy-to-use set of web-enabled
tools for business-class productivity services. Office 365 provides
anywhere-access to email, important documents, contacts, and calendars
on almost any device.
LATEST HEADLINES FROM YOUR IT
