Posted on 07/26/2016 1:00:39 PM PDT by Swordmaker
Due to copyright concerns this will be link only article. Read all about it at the Ars Technica site:
New attack that cripples HTTPS crypto works on Macs, Windows, and Linux (link Only due to ©)
Pinging dayglored, Shadow Ace, and ThunderSleeps for your ping lists due to cross platform security issues.
The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.
If you want on or off the Mac Ping List, Freepmail me
(It should be noted Google pushes out updates to Chrome immediately if there is a known substantial security bug like this.)
I doubt it is something a mere browser can fix. This is going to require a change in the HTTPS standards. This occurs because of the way the Encryption is designed in the standard. . . which all browsers have to meet to work on the Internet when using HTTPS.
read
Well, Google could adopt the way Microsoft accesses HTTPS websites with Edge and Internet Explorer 11.0—that only requires a relatively minor code change.
Well before everyone freaks out, this attack only works if the network operator deploys it. So unless you are using someone’s network who you can’t trust (or hackers are able to compromise the network you are using through some other means), it’s not going to affect you.
Even you did get hit with this attack, most of the HTTPS security would still remain intact. They would not, for example, be able to decrypt any of the encrypted web traffic that is passed thru HTTPS.
Okay, so this article is beginning to sound like Click Bait?
Again?
Those cats must never have read the story about the Boy Who Cried Wolf.....
Nah, it’s a real vulnerability, but it quite as bad as HTTPS being completely compromised.
Thanks to Swordmaker for the ping!!
"...a lot of people are actually exposed to this attack when they engage in browsing via non-trusted networks... With the exception of the full URL, all other HTTPs traffic remains unaffected by the attack. Still, in some cases, disclosure of the URL can prove fatal for security..."
The Ars Technica article talks about using WPAD to leak URLs. Microsoft issued a patch for WPAD in MS16-077.
I looked at the patch and it does indeed fix the problem. However it uses a sledgehammer to do it: It disallows NETBIOS traffic outside of the local subnet for ANYTHING. This is going to create havoc for legitimate file sharing and remote management (esp cloud) and name resolution on routed networks.
It needs a system registry change to undo it. No Group Policy, ugh. This is going to be a major tech support headache.
This is not a hack of HTTPS. It’s merely a way to snoop URLs by redirecting HTTPS traffic through a compromised Web Proxy server. Home users and most organizations are unaffected because WPAD is rarely used in the modern era of fast WANs and near unlimited local storage.
In fact the most common use of web proxies today is to let organizations snoop their employees web acitivity - exactly what this so called ‘hack’ does.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.