No. 1 Story

ACCC clears Optus to scrap HFC network and use NBN instead

The ACCC has cleared, provisionally, the proposed deal between Optus and NBN Co under which Optus is to be paid around $800m to shut down its HFC network and transfer customers onto the NBN. read more

Related Articles

HTTPS, broken, browsers, have, covered, kinda
Allen Bradley controllers have multiple security vulnerabilities
Multiple vulnerabilities exist in Allen Bradley Micrologix 1100 and 1400 PLCs. Details remain sketchy, but...
Read More
IE7 and Opera browsers upgrade phishing protection
Microsoft has fixed a bug causing Internet Explorer 7's phishing shield to bog down page...
Read More
Windows and Office have very critical Patch Tuesday
Microsoft has identified no less than eight critical flaws in its Windows and Office...
Read More

More From

Popular Threads

HTTPS is broken, browsers have it covered, kinda

David Heath
Tuesday, 11 August 2009 19:27

Business IT - Security

View Comments
Page 2 of 2
The attack is based on an abstracted adversary called "Pretty bad Proxy" (PBP).  This is defined in the context of the kinds of threats that the HTTPS protocol should cope with.  And in this case, doesn't.

Quoting again from the paper: "PBP is a malicious proxy targeting browsers' rendering modules above the HTTP/HTTPS layer. It attempts to break the end-to-end security guarantees of HTTPS without breaking any cryptographic scheme. We discovered a set of vulnerabilities exploitable by a PBP: in many realistic network environments where attackers can sniff the browser traffic, they can steal sensitive data from an HTTPS server, fake an HTTPS page and impersonate an authenticated user to access an HTTPS server. These vulnerabilities reflect the neglects in the design of modern browsers – they affect all major browsers and a large number of websites."

"The adversary model of HTTPS is simple and clear: the network is completely owned by the adversary, meaning that no network device on the network is assumed trustworthy. The protocol is rigorously designed, implemented and validated using this adversary model. If HTTPS is not robust against this adversary, it is broken by definition."

In short, the Pretty Bad Proxy is able to execute a man-in-the-middle attack at upper-layer protocols and thereby indirectly compromising the HTTPS protocols; specifically it "targets the browser's rendering modules above the HTTP/HTTPS layer in order to break the end-to-end security of HTTPS."

Let's make this simple.  A potential attacker waits for the browser to decrypt the traffic before stepping in and grabbing it.  Obviously defending against this is tricky, hence the fact that only some of the potential attack vectors have been dealt with.

Worse, other as-yet unidentified attacks may-well be possible.  This is also OS-independent.  Fun times ahead.


Start 1 2 Next 

Our Services for Technology Professionals

E - mail News SMS Headlines Desktop Alerts News Feeds Job Alerts Technology Events Press-Releases