SSL, GONE IN 30 SECONDS - A BREACH BEYOND CRIME

In this hands-on talk, we will introduce new targeted techniques and research that allows an attacker to reliably retrieve encrypted secrets (session identifiers, CSRF tokens, OAuth tokens, email addresses, ViewState hidden fields, etc.) from an HTTPS channel. We will demonstrate this new browser vector is real and practical by executing a PoC against a major enterprise product in under 30 seconds. We will describe the algorithm behind the attack, how the usage of basic statistical analysis can be applied to extract data from dynamic pages, as well as practical mitigations you can implement today. We will also describe the posture of different SaaS vendors vis-à-vis this attack. Finally, to provide the community with ability to build on our research, determine levels of exposure, and deploy appropriate protection, we will release the BREACH tool.

Presented by