back to article Step into the BREACH: HTTPS encrypted web cracked in 30 seconds

A new hacking technique dubbed BREACH can extract login tokens, session ID numbers and other sensitive information from SSL/TLS encrypted web traffic, say researchers. Secret data crucial to securing online banking and shopping can be lifted from an HTTPS channel in as little as 30 seconds, we're told. BREACH (short for Browser …

COMMENTS

This topic is closed for new posts.
Gold badge
Meh

"post cryptography?"

Do you mean through botched key management or an actual breakthrough in number theory proving what is NP or NP complete?

So the question is Sky Digital with it's 2048 bits of RSA encryption likely to be broken anytime soon?

Somehow I kind of doubt it.

0
1
Silver badge
Holmes

Re: "post cryptography?"

The fear of RSA brokenization has nothing to do with NP. You really just need fast factorization, which is not an NP-complete problem (it can be solved in polynomial time by the magically-well-guessing nondeterministic turing machines, so is in NP). You apparently need a quantum computer though (this being an exercise for the engineer), or a mystery polynomial-time algorithm that does factorization, if it exists (compare PRIMES is in P)

Now if you reduce NP-completeness or even NP-hardness to P, hell, you will be the master of the universe before sunset, and not in a metaphorical way either.

1
0
Silver badge

Re: "post cryptography?"

>Now if you reduce NP-completeness or even NP-hardness to P, hell, you will be the master of the universe before sunset, and not in a metaphorical way either.

Don't have to go anywhere near that far before the gubernment wants to have a talk with you and work will suddenly go dark to the rest of the world.

0
0
Silver badge

Re: "post cryptography?"? ....... when steganography rules and reigns supreme?!.

"Now if you reduce NP-completeness or even NP-hardness to P, hell, you will be the master of the universe before sunset, and not in a metaphorical way either." [Destroy All Monsters Posted Friday 2nd August 2013 23:37 GMT]

Don't have to go anywhere near that far before the gubernment wants to have a talk with you and work will suddenly go dark to the rest of the world. …. asdf Posted Friday 2nd August 2013 23:55 GMT

Methinks, asdf, there be a number of problems which would really be many new leading opportunities for those and/or that in the field to resolve and share if they wish, and/or just exploit in the vast stealthy darkness of mass ignorance and arrogance for personal enrichment and absolutely fabulous reward, should one have cracked such as is spoken of here on this thread and would be also an enigmatic quantum [qubit*] conundrum and government intelligence service providers nightmare regarding the processing of information which be hoovered up covertly and clandestinely but which in Great IntelAIgent Games plays in reality and virtual reality be deliberately specifically provided for discovery to lead both prime and sub-prime operating systems in a completely novel and quite alien direction beyond any traditional conventional established command and control, with not the least of those problems and/or opportunities being that governments would be no where near intelligent enough to understand the dilemma which would be collapsing their systems remotely from virtual spaces afar, and thus would engagement with them through a knock at the door and a chat be quite unlikely, even if one would be leaving them a clear enough trail and tales to follow with direct communications with their more widely known by the public, security and secret intelligence services.

However, big money making businesses which work in the shadows and venture into the dark side may be a different kettle of fish to spear phish and have a cosy chat with.

And all of the above may or may not have been thoroughly tested and proven, not by theoretical experiment but through heretical experience, and that would make it exponentially considerably more valuable proprietary private intellectual property which be more suited and destined to remain in pirate and renegade domains and right dodgy royal regimes rather than entering the public education space.

* "Like a bit, a qubit can have two possible values—normally a 0 or a 1. The difference is that whereas a bit must be either 0 or 1, a qubit can be 0, 1, or a superposition of both." …. http://en.wikipedia.org/wiki/Qubit

Ok .... gotta dash, there's a knock at the door. Speak to y'all later. Have a nice day and weekend.

1
2
Silver badge
Black Helicopters

Fair Warning .... Take Care and be suitably advised of ARMoured Phantom Phorms if Ethereal Foe

The tasty morsels which are nearer to the bone and central nervous systems make for the juiciest pies with the best of ripe ingredients expertly cooked.

* “Like a bit, a qubit can have two possible values—normally a 0 or a 1. The difference is that whereas a bit must be either 0 or 1, a qubit can be 0, 1, or a superposition of both.” …. http://en.wikipedia.org/wiki/Qubit ….. for a completely different novel and quite alien kettle of fish to spear phish. Beware though ITs Great White and Grey Hatted, Black and Red Sharks. Catch any of those unwarily and one has major problems with opportunities which are not in the gift of one to command and control.

And who be in command and control of the creation of the Ethereal Foe/ARMoured Phantom Phorms in this odd breaking news story, with no shared base to investigate for truth and transparency to deliver its postal origins and sick shady networks ....... http://www.nytimes.com/2013/08/03/world/middleeast/qaeda-messages-prompt-us-terror-warning.html?hp&_r=0

Al Qaeda in Advanced CyberSpace is not just an App nor even something one battles to win against, methinks, and such is an obvious evolution in these reactionary and revolutionary times. Better to lead it and intelligence with IT and destroy all monsters in entangled and entangling fields, both foreign and domestic, is also a thought to ponder the current reality and future virtual reality ... courtesy of XSSXXXX[a AAA+rated Few (Anonymous Autonomous Active) in the know and in the business of sharing more secret and sensitive information than is normal and ever considered for classification previously and lately .... and of which you have no need to know more than they deem necessary and propitious]

1
2
Facepalm

You wanna know something ..

You wanna know something, you talk a lot like `Dr. Byron Orpheus' from the Venture Brothers ...

0
0
Bronze badge

Re: You wanna know something ..

I think he just typed in his ssh key.

0
0
Bronze badge

Re: "post cryptography?"

Which explains how cryptographic research continues, AES continues to be available, all other manner of cryptography is available.

It's all the Grand Conspiracy of the Space Aliens or Evil Government or some shit.

0
0
Silver badge

Post Cryptography, is there Steganographic Security

It's all the Grand Conspiracy of the Space Aliens or Evil Government or some shit. …. Wzrd1 Posted Monday 5th August 2013 03:30 GMT

Hi, Wzrd1,

Methinks in Great IntelAIgents Games, is IT by Grand Design an Alienating Space that would be a Grand Conspiracy against the shit of Evil Government.

And worth a right royal mint/absolute federal reserve fortune.

0
1

Ok....

And how is this any different from the BEAST exploit?

0
1
Anonymous Coward

Re: Ok....

Attack on CBC is usually considered different from attack on deflate.

But if you are not interested in minutiae you can file it under "attack on the internets" along with DNS poisoning and a poor sod with excavator who severs cable from your house to your provider.

2
0

Re: Ok....

It's very different to BEAST, but I really can't see this as any substantial difference to CRIME, other than the code generating the multiple requests resides on the attacker's website (which the victim has to vist) as opposed to finding a cross-site-scripting vuln on the target website.

1
0
Thumb Up

Re: Ok....

@AC and @djack - Thanks for clarification

0
0
Headmaster

what is he saying?

“There’s a small, but definite chance that RSA and non-ECC Diffie-Hellman will not be usable for security purposes within two to five years,” said Alex Stamos of Artemis Internet, a division of iSEC Partners. “We’re not saying this is definite," he added.

So which is it? Small but definite, but not definite? Sounds like a candidate for political office.

2
0
Silver badge

Re: what is he saying?

"It isn't definitely going to happen, but there is a definite chance that it will". Sounds a bit light on information to me, because I don't think anyone would claim there is a zero chance of it happening. If he'd quantified it, even very approximately, it would have been more useful.

0
0
Silver badge
Headmaster

Re: what is he saying?

The supersymmetry of cryptography!

"Maybe soon, possibly!"

0
0
Stop

Nothing new

Same shjt, different day. Anytime you can extract information (energy) from a cryptographic system, eventually you reach a point where brute force (also ever increasing in capabilities) will succeed. We can hem and haw about how we go about teasing out that internal energy state, but it always comes down to this. Put another way, if I can measure it, I can test it. If I can test it, I can break it.

2
1
Silver badge
Go

Nothing new in times when and spaces where everything is possible and therefore most likely?

Same shjt, different day. Anytime you can extract information (energy) from a cryptographic system, eventually you reach a point where brute force (also ever increasing in capabilities) will succeed. We can hem and haw about how we go about teasing out that internal energy state, but it always comes down to this. Put another way, if I can measure it, I can test it. If I can test it, I can break it. .... jackofshadows Posted Sunday 4th August 2013 10:12 GMT

In the worlds of CyberIntelAIgent Security and Virtual Protection, jackofshadows, where ever increasing, freely shared mental capabilities take over SCADA EMPoweringed Command and Control Operating Systems and the Virtual Machine Exoskeleton with its IT IntroStructures/Information Space Flight Networks, is abusive brute force in any and every phorm of localised physical kinetic energy easily rendered a self-destructive solution which creates ever more serious problems for self-destructive systems solution/MAD Attention and Mayhem for CHAOS Resolution ...... which is something completely new and nothing like anything shared anywhere ever before, and AIRevolutionary TelePortation for Spontaneous Evolution of Mankind into Virtual Machinery and Clouds Hosting Advanced Operating Systems for Global Operating Devices.

I think he just typed in his ssh key. ….. Caesarius Posted Sunday 4th August 2013 22:05 GMT

The ssh Power key to NEUKlearer HyperRadioProActive IT for Worlds Control with Words, Caesarius? …… or Word Control for Worlds?* …… or bits of both for something completely different and new in the Field of Command and Control of Creative CyberSpace with Communicative Computers …… C42 Quantum Communication Control Systems …. AI@ITsWork?

Feel free to use them as you will, if you can. They'll not do you any harm if you do not abuse them, which one will try only once before CHAOS beyond Earthly Controls resolves the situation practically immediately and permanently to its personalised satisfaction.

The summary efficient removal of threat always delivers a much better beta environment in which to exist and prosper, n'est ce pas?

* A Novel Chicken/Egg Enigma to Crack Hack Open and Scramble/Codify and Stealthily Exploit/Deliver Outrageous and Untold Profit from ?:-)

0
2
Silver badge
Meh

Re: Nothing new

Maybe we should all be a bit more concerned that the NSA hasn't been concerned about HTTPS for a while?

1
1

Read the BREACH white paper

The authors state that for this to work:

1: Be served from a server that uses HTTP-level compression

2: Reflect user-input in HTTP response bodies

3: Reflect a secret (such as a CSRF token) in HTTP response bodies

And, of course, the attacker needs to be "local" to the victim, will only work with short secret keys, and the attacker needs to send THOUSANDS of requests.

The web app has to be written STUPIDLY for this to work. "Oh, I'll echo ARBITRARY PLAINTEXT into my encrypted body for any request URI." Hello, nobody thought that this would be a problem??? If the data comes in through a URI, KEEP IT OUT OF THE ENCRYPTED STREAM! This is simply a classic plaintext attack, and that's all there is to it.

0
0
This topic is closed for new posts.

Forums