New attacks can extract confidential information from encrypted communication within 30 seconds

Source: Internet
Author: User

HTTPS encryption protects millions of websites in the world. However, there is a new attack method, hackers can extract the email address and credentials from the encrypted page. This process usually takes only 30 seconds. The technology was demonstrated at the Las Vegas Black Hat Security Conference on Thursday. During the demonstration, hackers cracked Response Information encrypted using SSL and TLS protocols for online banking and e-commerce websites.

The attack extracted specific sensitive data such as social security numbers, email addresses, security tokens, and password reset connections. This attack method is effective for all versions of TLS and SSL, regardless of the encryption algorithm or key (cipher) used ).

This method requires the attacker to listen to the traffic between the user and the website, and the attacker also needs to induce the victim to access a malicious link. The iframe tag can be injected on the website to allow the victim to access or guide the victim to view the email. The hidden image in the tag will generate an HTTPS request during loading. Malicious links allow the victim's computer to send multiple requests to the target server for message spying.

"We won't crack the entire communication process, but extracted some confidential information we are interested in," says Yoel Gluck, one of the three researchers who invented this attack. "This is a type of attack.

Targeted attacks. We only need to find a place on the website for password or password exchange, and we can extract confidential information on that page. In general, no matter whether the webpage or Ajax response is confidential, we can extract it within 30 s ."

This latest attack allows Web, email, and other networks protected by HTTPS

The security of the service is no longer available. At the same time, this attack method has become one of the new technologies most sought after by hackers. However, no attackers can break through the HTTPS security line. This attack method is called BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.