[cabfpub] A BREACH beyond CRIME :-(
Rob Stradling
rob.stradling at comodo.com
Wed May 29 14:07:58 UTC 2013
https://www.blackhat.com/us-13/briefings.html#Prado
"SSL, GONE IN 30 SECONDS - A BREACH BEYOND CRIME
In this hands-on talk, we will introduce new targeted techniques and
research that allows an attacker to reliably retrieve encrypted secrets
(session identifiers, CSRF tokens, OAuth tokens, email addresses,
ViewState hidden fields, etc.) from an HTTPS channel. We will
demonstrate this new browser vector is real and practical by executing a
PoC against a major enterprise product in under 30 seconds. We will
describe the algorithm behind the attack, how the usage of basic
statistical analysis can be applied to extract data from dynamic pages,
as well as practical mitigations you can implement today. We will also
describe the posture of different SaaS vendors vis-à-vis this attack.
Finally, to provide the community with ability to build on our research,
determine levels of exposure, and deploy appropriate protection, we will
release the BREACH tool."
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list