Toxic Proxies - Bypassing HTTPS and VPNs to Pwn Your Online Identity

DEF CON 24

Presented by: Alex Chapman, Paul Stone
Date: Sunday August 07, 2016
Time: 14:00 - 14:50
Location: DEF CON 101

Rogue access points provide attackers with powerful capabilities, but in 2016 modern privacy protections such as HTTPS Everywhere, free TLS certificates and HSTS are de-facto standards. Surely our encrypted traffic is now safe on the local coffee shop network? If not, my VPN will definitely protect me... right? In this talk we'll reveal how recent improvements in online security and privacy can be undermined by decades old design flaws in obscure specifications. These design weakness can be exploited to intercept HTTPS URLs and proxy VPN tunneled traffic. We will demonstrate how a rogue access point or local network attacker can use these new techniques to bypass encryption, monitor your search history and take over your online accounts. No logos, no acronyms; this is not a theoretical crypto attack. We will show our techniques working on $30 hardware in under a minute. Online identity? Compromised. OAuth? Forget about it. Cloud file storage? Now we're talking.

Alex Chapman

Alex Chapman is a Principal Security Researcher at Context Information Security in the UK, where he performs vulnerability discovery, exploit development, bespoke protocol analysis and reverse engineering. He has been credited in security advisories for a number of major software products for vendors such as Citrix, Google, Mozilla and VMware, and has presented his research at security conferences around the world. He has spent the past several months making things (for a change), poking holes in old technologies, and pointing out security flaws which have no place in modern day software. Twitter: @noxrnet

Paul Stone

Paul Stone is a Principal Security Researcher at Context Information Security in the UK where he performs vulnerability research, reverse engineering, and tool development. He has a focus on browser security and has reported a number of vulnerabilities in the major web browsers including Chrome, Internet Explorer, Firefox, and Safari. He has spoken at a number of Black Hat conferences, presenting the well-received 'Pixel-Perfect Timing Attacks' and 'Next Generation Clickjacking' talks. Paul's recent obsession has been Bluetooth LE and has helped create the RaMBLE Android app for collecting and analyzing BLE data. Twitter: @pdjstone


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats