New attacks can extract confidential information from encrypted communication within 30 seconds

HTTPS encryption protects millions of websites in the world. However, there is a new attack method, hackers can extract the email address and credentials from the encrypted page. This process usually takes only 30 seconds. The technology was demonstrated at the Las Vegas Black Hat Security Conference on Thursday. During the demonstration, hackers cracked Response Information encrypted using SSL and TLS protocols for online banking and e-commerce websites.

The attack extracted specific sensitive data such as social security numbers, email addresses, security tokens, and password reset connections. This attack method is effective for all versions of TLS and SSL, regardless of the encryption algorithm or key (cipher) used ).

This method requires the attacker to listen to the traffic between the user and the website, and the attacker also needs to induce the victim to access a malicious link. The iframe tag can be injected on the website to allow the victim to access or guide the victim to view the email. The hidden image in the tag will generate an HTTPS request during loading. Malicious links allow the victim's computer to send multiple requests to the target server for message spying.

"We won't crack the entire communication process, but extracted some confidential information we are interested in," says Yoel Gluck, one of the three researchers who invented this attack. "This is a type of attack.

Targeted attacks. We only need to find a place on the website for password or password exchange, and we can extract confidential information on that page. In general, no matter whether the webpage or Ajax response is confidential, we can extract it within 30 s ."

This latest attack allows Web, email, and other networks protected by HTTPS

The security of the service is no longer available. At the same time, this attack method has become one of the new technologies most sought after by hackers. However, no attackers can break through the HTTPS security line. This attack method is called BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext)