The Cryptopocalypse Is HERE! In less than 30 seconds, the private information that you enter into millions of websites protected with HTTPS encryption, previously thought safe, have now suffered BREACH. That’s correct. SSL and TLS is starting to fail. The internet is afire with news, saying there is “No easy way to stop BREACH from plucking secrets from HTTPS page“.
The U.S. Department of Homeland Security has issues alerts to website operators and webmasters, advising them to investigate if they are susceptible to Breach.
US-CERT has their update posted here., stating: “We are currently unaware of a practical solution to this problem.”
What does this mean to you? If you do online banking, online shopping, pay utilities, or sign into ANY online system protected by HTTPS encryption, using either Secure Sockets Layer (SSL) or Transport Layer Security (TLS), it is now wide open to viewing within 30 seconds.
This means information you enter on an HTTPS encrypted page, for example E-Mail addresses, social security numbers, passwords, is now unprotected.
What is BREACH? It stands for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext. It was revealed last Thursday, in Las Vegas, NV, during the Black Hat Security Conference by researchers Angelo Prado, Yoel Gluck, and Neal Harris. It works against all versions of TLS and SSL, regardless of the encryption algorithm or cipher that’s used.
Back in 1994, Netscape Communications created HTTPS to be used for its Netscape Navigator web browser. HTTPS was originally used with SSL protocol, which further evolved into Transport Layer Security (TLS).
The current version of HTTPS was formally specified by RFC 2818 in May 2000.
Also at the same Black Hat Security conference, other researchers, Alex Stamos, Tom Ritter, Thomas Ptacek, and Javed Samuel, warn everyone involved in cryptography: software developers, certificate authorities, etc. to switch to more modern cryptographic algorithms and security protocols, before the entire house of cards collapses. For example, a family of encryption algorithms called Elliptic Curve Cryptography (ECC), mostly patented by Blackberry. Alex Stamos encourages ECC adoption now.
Further, accelerated breakthroughs in Cryptograpy have happened in the past six months. The focus has been on specific things, for example, discrete logarithm computations, Security experts believe that the RSA algorithm may break and fail in the foreseeable future.
RSA is an algorithm for public-key cryptography, using public and private keys for encrypting messages. The RSA algorithm stands for Ron Rivest, Adi Shamir and Leonard Adleman, who first publicly described the algorithm in 1977. The aging RSA algorithm is coming up on 40 years, yet remains the standard public key exchange on the Internet today.
All of the existing encryption techniques and protocols in use today need to be closely reviewed, and updated. The time for a change is NOW before it is too late.
What can you do about BREACH? Unfortunately, right now, nothing. It is up the the website designers of the sites you visit to take appropriate mitigation measures to protect you on your next visit to their website.