[cabfpub] A BREACH beyond CRIME :-(

Rob Stradling rob.stradling at comodo.com
Tue Jul 2 07:52:25 UTC 2013


More on this...

http://www.darkreading.com/vulnerability/https-side-channel-attack-a-tool-for-enc/240157583

On 29/05/13 15:07, Rob Stradling wrote:
> https://www.blackhat.com/us-13/briefings.html#Prado
>
> "SSL, GONE IN 30 SECONDS - A BREACH BEYOND CRIME
> In this hands-on talk, we will introduce new targeted techniques and
> research that allows an attacker to reliably retrieve encrypted secrets
> (session identifiers, CSRF tokens, OAuth tokens, email addresses,
> ViewState hidden fields, etc.) from an HTTPS channel. We will
> demonstrate this new browser vector is real and practical by executing a
> PoC against a major enterprise product in under 30 seconds. We will
> describe the algorithm behind the attack, how the usage of basic
> statistical analysis can be applied to extract data from dynamic pages,
> as well as practical mitigations you can implement today. We will also
> describe the posture of different SaaS vendors vis-à-vis this attack.
> Finally, to provide the community with ability to build on our research,
> determine levels of exposure, and deploy appropriate protection, we will
> release the BREACH tool."
>

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.



More information about the Public mailing list