It is rightly stated that there is no absolute security in the Cyber world and we are using technology to provide security to atmost level and even then they can be torn apart. Recently an attack has been revealed for HTTPS traffic.
All the web pages we are using uses HTTP (#Hyper Text Transfer Protocol) for fetching and communicating some data and due to the insecurity of the protocol we moved to HTTPS (HTTP Secure) protocol to safeguard our sensitive data if transferred.
It doesnot ends here HTTPS has many attack such as SSL Stripping, BEAST attack and now an attack has been revealed with which a potential attacker can get information such as Cookie header length, GPS coordinates and also the Password length.
HTTPS works along with TLS and according to this attack it will tear down the traffic that are being transmitted below TLS and then it will give the hacker information about the data that is being transmitted.
In order to exploit this there are few pre requisite to be followed which is the Implementation should use Stream cipher and attacker must know the length of the rest.
If the attacker successfully exploits the attack then he/she can get GPS coordinates and Cookie header and also the password length with which the Brute Force attack on the password can be attempted.
It can be prevented if TLS stream cipher has been disabled from Webmaster side and use latest version of TLS 1.2 and also pad some data to the original data to mask the actual length.
The documentation about the attack can be found here.
P.S: The post is to create awareness and not to be misused.
No comments:
Post a Comment