HTTPS hackable in 30 seconds: DHS alert

Security experts are warning website operators to test whether their HTTPS traffic is vulnerable to a new crypto attack that can be used to grab sensitive information, InformationWeek reports. The so-called BREACH attack — short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext — was detailed in a Department of Homeland Security (DHS) “BREACH vulnerability in compressed HTTPS” advisory, issued Friday, which warned that “a sophisticated attacker may be able to derive plaintext secrets from the ciphertext in an HTTPS stream.” All versions of the transport layer security (TLS) and secure sockets layer (SSL) protocols are vulnerable. … Their attack is the latest exploit that demonstrates that so-called secure HTML pages aren’t always fully secure.

Read more