HTTPS exploit using JS

Talk about internet security, computer security, personal security, your social security number...
Post Reply
barbaz
Senior Member
Posts: 9145
Joined: Sat Aug 03, 2013 5:45 pm

HTTPS exploit using JS

Post by barbaz » Sat Aug 27, 2016 6:44 pm

http://arstechnica.com/security/2016/08/new-attack-can-pluck-secrets-from-1-of-https-traffic-affects-top-sites/

1) How is haxxor supposed to gain MITM if they has to inject their JS on a page that's HTTPS to start with? Doesn't that already mean the attack is not as "practical" as the article suggests?
And isn't it impossible for haxxor's JS to stay alive after their page is closed?

2) Being a NoScript user where such JS would presumably be blocked, and since I'm going to update my browser soon anyway, is there any point in disabling the affected cypher(s)? If so how to do it?
(I found a "security.ssl3.rsa_des_ede3_sha" in about:config but don't know if it's related?)
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: HTTPS exploit using JS

Post by Thrawn » Tue Aug 30, 2016 12:27 am

barbaz wrote:1) How is haxxor supposed to gain MITM if they has to inject their JS on a page that's HTTPS to start with?

From what I've read, the JavaScript can be the attacker's own website, so it's not really injection.

And isn't it impossible for haxxor's JS to stay alive after their page is closed?

Generally yes. I think the attack assumes that the page stays open. Not unreasonable in many cases.

2) Being a NoScript user where such JS would presumably be blocked, and since I'm going to update my browser soon anyway, is there any point in disabling the affected cypher(s)? If so how to do it?
(I found a "security.ssl3.rsa_des_ede3_sha" in about:config but don't know if it's related?)

Not sure, but that might be the one. I suggest that you disable it and check whether any sites break.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0

barbaz
Senior Member
Posts: 9145
Joined: Sat Aug 03, 2013 5:45 pm

Re: HTTPS exploit using JS

Post by barbaz » Tue Aug 30, 2016 3:00 am

Thanks Thrawn for the clarifications!

So far I haven't had any issues from disabling that cypher...

How's My SSL lists these cyphers for my browser now

Code: Select all

    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_AES_256_CBC_SHA
*Always* check the changelogs BEFORE updating that important software!
-

yes_noscript

Re: HTTPS exploit using JS

Post by yes_noscript » Tue Aug 30, 2016 7:57 am

Here is my list and i didn't found any problems.

Code: Select all

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:3.0) Goanna/20160728 PaleMoon/27.0.0a2

barbaz
Senior Member
Posts: 9145
Joined: Sat Aug 03, 2013 5:45 pm

Re: HTTPS exploit using JS

Post by barbaz » Tue Aug 30, 2016 8:24 pm

@yes_noscript: Do you know why Pale Moon disables those 128 cyphers in my list and does the reasoning apply to me and my SeaMonkey based on Gecko 45 (and soon to be Gecko 49)?
*Always* check the changelogs BEFORE updating that important software!
-

yes_noscript

Re: HTTPS exploit using JS

Post by yes_noscript » Tue Aug 30, 2016 9:23 pm

Dont no. Are the 128bit ciphers disabled by default?

Moonchild disable all 3DES cipher by default in next update.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:3.0) Goanna/20160728 PaleMoon/27.0.0a2

barbaz
Senior Member
Posts: 9145
Joined: Sat Aug 03, 2013 5:45 pm

Re: HTTPS exploit using JS

Post by barbaz » Tue Aug 30, 2016 10:00 pm

yes_noscript wrote:Dont no. Are the 128bit ciphers disabled by default?

Well, again, I'm just comparing the cypher list you posted to the cypher list I posted...

I don't enable any cyphers that aren't enabled by default, my only custom cypher configuration is disabling some.
Looking at your post here viewtopic.php?p=82063#p82063 only one of the 128 cyphers is disabled relative to my output, so I assumed (incorrectly?) that you're using default Pale Moon configuration for cyphers?
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: HTTPS exploit using JS

Post by Thrawn » Wed Aug 31, 2016 5:19 am

And once again rate limiting would make this attack substantially harder.

I pitched the idea to Moonchild, but he rejected it.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0

yes_noscript

Re: HTTPS exploit using JS

Post by yes_noscript » Wed Aug 31, 2016 7:35 pm

Ah now i understand your question.
No i use not the default ciphers. I disable a lot.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:3.0) Goanna/20160728 PaleMoon/27.0.0a2

barbaz
Senior Member
Posts: 9145
Joined: Sat Aug 03, 2013 5:45 pm

Re: HTTPS exploit using JS

Post by barbaz » Wed Aug 31, 2016 9:19 pm

yes_noscript wrote:No i use not the default ciphers. I disable a lot.

OK that's even better, thanks! What is your reasoning for disabling them, and given the browser(s) I'm using should I be concerned and do the same?
*Always* check the changelogs BEFORE updating that important software!
-

yes_noscript

Re: HTTPS exploit using JS

Post by yes_noscript » Wed Aug 31, 2016 9:32 pm

I read in the web a lot and then disable that not so secure ciphers.
Until now i doesn't found a website which doesn't work.

So yes, i would say i have a better SSL/ TLS security now because only good ciphers are available.
Here is my list from Pale Moon 27:
Image
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:3.0) Goanna/20160728 PaleMoon/27.0.0a2

barbaz
Senior Member
Posts: 9145
Joined: Sat Aug 03, 2013 5:45 pm

Re: HTTPS exploit using JS

Post by barbaz » Wed Aug 31, 2016 9:38 pm

Good so it sounds like there is no immediate concern but it's still worth trying disabling them in case it saves me time and security. Thanks yes_noscript! :D
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply