From BEAST to CRIME: Another Attack Exposes HTTPS Vulnerability


You might remember how a few months ago we detailed how HTTPS (or secure web browsing) is not really as secure as it seems. Last fall, two security researchers demonstrated a program they called BEAST that allows hackers to gain access to restricted user accounts.

Well, the same researchers have found another vulnerability in HTTPS. And this one may be even worse than the first.

Why HTTPS Is Not Secure

But first, let’s provide a little background on HTTPS.

Retailers, banks, and other online retailers use secure websites — HTTPS (Hypertext Transfer Protocol Secure) — to provide secure transactions. You can tell if a website is a “secure” one if it has “https” in its URL and has a small lock symbol next to it.

SSL, or Secure Sockets Layer, is the technology behind HTTPS. SSL creates an encrypted link between a website and your browser and supposedly ensures that all data passed between them remains private.

Up until last fall, most people had assumed that HTTPS was completely safe. BEAST changed all that. The two researchers who created BEAST, Thai Duong and Juliana Rizzo, were able to access a PayPal account that was supposed to be encrypted. And they reported that 90% of the websites that used SSL were vulnerable to this kind of attack.

CRIME is the New BEAST

Using the CRIME attack code, Duong and Rizzo were able to steal the login credentials of any site a user was visiting from supposedly encrypted cookie files and log in using these credentials.

They don’t want to detail how they did it so this information won’t fall into the wrong hands.

The CRIME code must first be loaded into the victim’s web browser in order for the attack to work. Usually, this can be accomplished by tricking the victim into visiting a rogue website that contains the code.

The attacker must also be able to sniff the victim’s HTTPS traffic via a public wifi network, or by using techniques such as ARP snooping, which allows attackers to intercept data.

Rizzo and Duong will present more details later this month at the Ekoparty security conference in Buenos Aires.

Protect Yourself Using Private WiFi

As we’ve said before, using a personal VPN like PRIVATE WiFi is the only way to protect yourself from this kind of attack, whether you are simply emailing or making any financial transaction using a credit card, paying with something via PayPal, or managing your online banking accounts.

Now more than ever, consumers need PRIVATE WiFi to protect their information. PRIVATE WiFi encrypts all the data moving to and from your laptop, even HTTPS information. A bad guy may not be lurking in every single wifi hotspot, but a personal VPN provides an extra layer of security that protects ALL of your communication.

Get Private Wifi   Protect your personal information.
Get DataCompress   Cut your mobile data usage.

Kent Lawson

Kent Lawson is the CEO & Chairman of Private Communications Corporation and creator of its flagship software PRIVATE WiFi. He combined his extensive business and technical experience to develop PRIVATE WiFi in 2010. The software is an easy-to-use Virtual Private Network (VPN) that protects your sensitive personal information whenever you’re connected to a public WiFi network. Follow Kent on Twitter: @KentLawson.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.