A researcher has an attack developed on the HTTP Strict Transport Security, a standard that websites use to browsers to force https to use. With the method would be a malicious attacker using a man-in-the-middle-attack, the login data can be intercepted.
The attack that Selvi has developed makes it possible to use HTTP Strict Transport Security to completely bypass, a feature that must ensure that a user visits a particular website, only via https can visit. The safe method is supported by Chrome and Firefox; Internet Explorer will follow soon.
By default, the first request to a web server via http. Sites that use https, the user should also forward to the https version of their website. There is a vulnerability: an attacker can use the http-request intercept, and ensure that the https session is not the user, but the attacker is set up. The attacker can access the content of the pages via http redirect to the user.
Websites can, thanks to hsts by means of an http-header to know that they are in the sequel, only https can visit; even if the connection of a user is then intercepted, he is on websites with hsts in principle secure, because the browser knows that those sites only over https are allowed to be visited. In addition, Chrome and Firefox a list of common websites such as PayPal and Google who are obviously only over https are allowed to be visited.
In both cases, hsts to work, sets Selvi. That is because both features rely on time. A website to let you know how far in the future, an https connection should be enforced, for example, for a month. The same thing happens in the source code of Chrome: that demands that websites like PayPal and Google to three years in the future only via https which can be visited.
Selvi devised, therefore, a trick to make the time on the operating system to change that, after all, three years in the future, the requirement of the website to only https to use no more. The manipulation of the time was on Ubuntu and Fedora is fairly simple: which operating systems to update the system time periodically via network time protocol.
That protocol has support for secure connections, but by default it is not enabled. Jose was, therefore, able to vervalse ntp packets to send, making the system time in three years in the future was set. Therefore, gold the http strict transport security policy of the sites, and could be the connection of sites will still be intercepted. “Time is just not something you should trust,” says Selvi.
Users of Fedora are the most vulnerable: that operating system syncs every minute of the time, making the attack the most easy to convert. Ubuntu syncs the time every time at boot, or if a network connection is made. An attacker would connect with an intended victim can terminate, after which the connection is to re-create and the time is synchronized. OS X Lion is also vulnerable: that operating system synchronizes every nine minutes.
Windows users are less vulnerable. Windows 7 and Windows 8 sync every seven days, and also accepts the operating system does not changes in time that are greater than fifteen hours. This is not a realistic attack for that operating system. OS X Mavericks is ironically not at risk because the time isn’t right in the background is synchronized.
Google in a response let you know that it’s going to be “a well-known problem with http’; the browsermaker seems that is not going to be in order to solve the problem.
Comments
(78)