Compression Oracle Attacks on VPN Networks

Black Hat USA 2018

Presented by: Ahamed Nafeez
Date: Wednesday August 08, 2018
Time: 13:30 - 14:20
Location: Lagoon GHI

Security researchers have done a good amount of practical attacks in the past using chosen plain-text attacks on compressed traffic to steal sensitive data. In spite of how popular CRIME and BREACH were, little was talked about how this class of attacks was relevant to VPN networks. Compression oracle attacks are not limited to TLS protected data. Regardless of the underlying encryption framework being used, these VPN networks offer a very well used feature usually known as TCP Compression which in a way acts almost similar to the TLS compression feature pre-CRIME era.

In this talk, we try these attacks on browser requests and responses which usually tunnel their HTTP traffic through VPNs. We also explore the possibility of attacking ESP Compression and other such optimizations in any tunneled traffic which does encryption. We also show a case study with a well-known VPN server and their plethora of clients.

We then go into practical defenses and how mitigations in HTTP/2's HPACK and other mitigation techniques are the way forward rather than claiming 'Thou shall not compress traffic at all.' One of the things that we would like to showcase is how impedance mismatches in these different layers of technologies affect security and how they don't play well together.

Ahamed Nafeez

Ahamed Nafeez has a varied offensive security background with some emphasis on browsers, web services, and cryptography. He believes defending is much harder than attacking most of the time and appreciates the variables and challenges defenders have. These days he is interested in writing secure frameworks, automating attacks and more or less trying to learn to write good code. He has spoken at a few security conferences in the past around web apps, browsers and security analysis of javascript. He tweets at @skeptic_fx and builds his side project [assetwatch.io](https://protect- eu.mimecast.com/s/tHsaCZY99UPlNB0UjMdep?domain=assetwatch.io) in free time, an automated asset discovery/monitoring service.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats