A key guarantee provided by HTTPS encryption is that the addresses of visited websites aren’t visible to attackers who may be monitoring an end user’s network traffic. Now, researchers have devised an attack that breaks this protection.
The attack can be carried out by operators of just about any type of network, including public Wi-Fi networks, which arguably are the places where Web surfers need HTTPS the most. It works by abusing a feature known as WPAD—short for Web Proxy Autodisovery—in a way that exposes certain browser requests to attacker-controlled code. The attacker then gets to see the entire URL of every site the target visits. The exploit works against virtually all browsers and operating systems. It will be demonstrated for the first time at next week’s Black Hat security conference in Las Vegas in a talk titled Crippling HTTPS with Unholy PAC.
“People rely on HTTPS to secure their communication even
Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/Rp5lRrCfgSk/