HTTPS Can Byte Me
This paper on the security problems of HTTPS was already presented at Black Hat 2010 by Robert Hansen, aka “RSnake”, of SecTheory and Josh Sokol of our own National Instruments.
This was a very technical talk so I’m not going to try to reproduce it all for you here. Read the white paper and slides. But basically there are a lot of things about how the Web works that makes HTTPS somewhat defeatable.
First, there are insecure redirects, DNS lookups, etc. before you ever get to a “secure” connection. But even after that you can do a lot of hacking from traffic characterization – premapping sites, watching “encrypted” traffic and seeing patterns in size, get vs post, etc. A lot of the discussion was around doing things like making a user precache content to remove noisiness via a side channel (like a tab; browsers don’t segment tabs). Anyway, there’s a lot of middle ground between “You can read all the traffic” and “The traffic is totally obscured to you,” and it’s that middle ground that it can be profitable to play in.