July 29, 2010

Black Hat 2010: Even with SSL/TLS, browsers still are susceptible to attack

Two researchers at the Black Hat conference in Las Vegas on Thursday exposed 24 ways hackers can hijack seemingly secure browser sessions.

Robert Hansen and Josh Sokol demonstrated methods attackers can use to take over users' accounts or assume control of a website without the need for any exploits, due to the way browsers implement "HTTPS." HTTPS, a combination of the Hypertext Transfer Protocol with the SSL/TLS Protocol, allows a website owner to encrypt a session using a digital certificate.

For any of the two dozen attacks to work, however, a criminal would have to have assumed control of a user's computer via a man-in-the-middle (MITM) exploit, by which an attacker intercepts communications between two systems.

But the researchers wanted to show that HTTPS protection alone won't stop bad things from happening.

For example, the pair detailed an attack known as "session fixation" that takes advantage of the fact that banks using HTTPS don't change a user's cookie after they login -- they simply mark it as valid. As a result, an attacker with MITM control could visit the bank site ahead of the user and set the cookie, essentially logging in the crook as the legitimate user.

Another scenario, known as "delayed pop-up," involves a user who visits a website, such as a bank, and clicks on a link to go the SSL-protected version of the site. This opens a second tab, but if the attacker has control of the first tab, he is able to change the other HTTPS tab to redirect users to malicious executables or authentication forms.

Still, the reliance on MITM makes the scenarios Hansen and Sokol demonstrated unlikely to happen on a widespread scale, they said.

"You'd have to be a very determined attacker," Hansen said. "And determined attackers have a lot of other avenues for attack."

He did say that while "the world is not crashing," website owners and users should take the threats seriously as they have the potential to threaten secure electronic commerce. Potential mitigations include the browser makers offering tab, port and cookie sandboxing controls.

Hansen added that there are likely "hundreds" of other similar vulnerabilities.

Related Articles
Related Topics

Sign up to our newsletters

More in News

House Intelligence Committee OKs amended version of controversial CISPA

Despite the 18-to-2 vote in favor of the bill proposal, privacy advocates likely will not be satisfied, considering two key amendments reportedly were shot down.

Judge rules hospital can ask ISP for help in ID'ing alleged hackers

The case stems from two incidents where at least one individual is accused of accessing the hospital's network to spread "defamatory" messages to employees.

Three LulzSec members plead guilty in London

Ryan Ackroyd, 26; Jake Davis, 20; and Mustafa al-Bassam, 18, who was not named until now because of his age, all admitted their involvement in the hacktivist gang's attack spree.