When browsing the Web, we often encounter a little padlock in the corner of the window, "https" at the beginning of a URL, or other things like Verisign's green address bar. These signs all are indications of Secure Sockets Layer (SSL) being in use on the current Web site to protect communications between the server and the end user.
We generally assume that the SSL protocol is making online transactions and other exchanges over the Internet safer. And this is usually true for most of the Web sites, as SSL certificates are issued by Certificate Authorities approved by browsers. But according to researchers from Indiana University and Microsoft, whatever the protection that SSL certificates provide, there are ways to circumvent the security protocol and to find out what the encrypted data consists of.
The flaw does not reside in the way SSL works. In fact, it works very well at what it is meant for: encrypting data so that it cannot be interpreted by someone who would get access to it. The technique described by the researchers in their paper consists of looking at the size of the packets transmitted between the server and the end user's machine to guess their contents. It can mostly be used in contexts (which are now standard) where the Web page uses AJAX programming methods. And all wireless communications are also vulnerable, even when transmitted over WPA, because the data being encrypted does not protect it from being analyzed by its size.
For instance, most modern search engines provide auto-completion for text-based searches. The way it works is that each time a user types in a letter in the search box, the server sends the list of words that start with that letter. By "sniffing" through the transmitted packets, a malicious user can find out the exact size of the data transmitted and therefore, without having to decrypt anything, can guess what the letter that was typed in was. He can then apply the same process to every subsequent letter, and successfully find out what the search query was.
Now, except for the fact that you were searching for a "spaghetti sauce recipe" last Thursday, the hacker that intercepts communications with your computer does not gain much information. Yet. Actually, the researchers have shown that many other Web applications are also vulnerable to packet size-based inference. They were even able to deduce the doctor and medical condition of a person who had entered the information on a Web site operated by "one of the most reputable companies of online services," which they will not name of course. Using the same technique of deducing the contents of transmitted data from its size, the researchers also managed to find out the Adjusted Gross Income of taxpayers who were using a well-known online tax preparation site.
These findings are somewhat disturbing as the researchers have demonstrated that anyone with enough skill can achieve what they have done. If hackers with bad intentions start using this inference technique, the whole security model based on SSL encryption would be rendered mostly useless.
|
