Welcome to WebmasterWorld Guest from 54.242.115.55

Forum Moderators: open

Heist

HTTPS Vulnerability

     
5:04 am on Aug 14, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 891


New security vulnerabilities have been found when combining HTTPS and GZIP compression.
The HEIST technique—short for HTTP Encrypted Information can be Stolen Through TCP-Windows—works by exploiting the way HTTPS responses are delivered over the transmission control protocol, one of the Internet's most basic building blocks.

Once attackers know the size of an encrypted response, they are free to use one of two previously devised exploits to ferret out the plaintext contained inside.
source: [arstechnica.com...]

- - -
9:36 am on Aug 14, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Nov 13, 2016
posts:596
votes: 90


The exploit is notable because it doesn't require a man-in-the-middle position. Instead, an end user need only encounter an innocuous-looking JavaScript file hidden in an Web advertisement or hosted directly on a webpage.

I often mentioned it, we should limit to the very strict minimum third party elements at our sites. Because we can't control them, and they can be compromised, ahead.

That being said, on pages with a form (sign-in, contact, etc...) , I NEVER insert any third party code. These pages are fully under my control. (now if the computer of the client is compromised, that's another problem).

ps: also I am using Brotli, without fallback to GZ. but I bet that one day, someone, somewhere, will find a breach in Brotli too.
10:17 am on Aug 14, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 891


I am using Brotli, without fallback to GZ. but I bet that one day, someone, somewhere, will find a breach in Brotli too
Doesn't say that the hack is limited to GZIP. I think GZIP was mentioned in the first article because it is common to most sites using file compression.

Both the BREACH and the CRIME exploits are able to decrypt payloads by manipulating the file compression that sites use to make pages load more quickly.
9:22 pm on Aug 15, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 891


Those upgrading their servers to support TLS 1.3 are doing so with a default of no compression.
8:56 am on Aug 17, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Nov 13, 2016
posts:596
votes: 90


Do you mean they are disabling compression ?
9:14 am on Aug 17, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 891


Not disabling. Default is no compression. File compression is something that is added, by various means.