On Thu, Aug 1, 2013 at 1:44 PM, Isaac (.ike) Levy <span dir="ltr"><<a href="mailto:ike@blackskyresearch.net" target="_blank">ike@blackskyresearch.net</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Nifty SSL nastiness (http deflate to find fragments of strings in https):<br>
<a href="http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/" target="_blank">http://arstechnica.com/<u></u>security/2013/08/gone-in-30-<u></u>seconds-new-attack-plucks-<u></u>secrets-from-https-protected-<u></u>pages/</a></blockquote>
<div><br></div><div>I was trying to figure out (from the article, since the presentation wasn't available yet, how this works. It seems to rely on being able to inject an arbitrary string into a page that also includes the secret you're trying to discover. I keep trying to picture a real world scenario where that's possible but I'm having a hard time... probably missing something.</div>
<div> </div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Not Defcon, but related:<br>
"More Encryption Is Not the Solution", PHK, describes some novel attacks for cloud/carriers to trivially demolish ssl.<br>
<a href="http://queue.acm.org/detail.cfm?id=2508864" target="_blank">http://queue.acm.org/detail.<u></u>cfm?id=2508864</a><br>
<br>
Pretty interesting reactions to the "encrypt everything" push for the interenet in the last few years...<br></blockquote><div><br></div><div>Well exactly. SSL protects from spying on the wire, but not from spying in the datacenter. And if you're a state-level actor, you can coerce your local Certificate Authority to issue bogus certs for common services and use proxies to sniff all the traffic.</div>
<div><br></div><div>The overall weakness of the model led to the zero-knowledge service movement and secure peer-to-peer networks, but a determined attacker could still compromise one of the endpoints with malware or sneaky code injection like PHK describes. </div>
<div><br></div><div>The sad fact is, the Internet, and networked computers generally, are not made for secrets. Hence the need to work in the real world to ensure that state-level secrets aren't necessary.</div></div>