Bulletproof TLS Newsletter #19
SWEET32, HEIST/TIME, PAC and WPAD leak HTTPS URLs
31 August 2016
Author: Hanno Böck

This issue was distributed to 29,628 email subscribers.

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space.

In this issue:

  1. SWEET32 – Attacks on 64 bit block ciphers
  2. HEIST/TIME – Old timing attack gets new attention
  3. PAC and WPAD leak HTTPS URLs
  4. Other news

SWEET32 – Attacks on 64 bit block ciphers

Older block ciphers like Triple-DES and Blowfish encrypt data in blocks of 64 bits. It is well known that the block size limits the amount of data that can be encrypted safely with the same key. After encrypting 2^32 blocks of data with the same key block collisions become very likely due to the birthday paradox.

Karthikeyan Bhargavan and Gaëtan Leurent showed that this weakness can be used to practically attack TLS connections using old cipher modes with Triple-DES and OpenVPN connections using Blowfish. They named their attack SWEET32. Both attack scenarios require several hundred gigabytes of data and take between 20 and 40 hours. These attacks also may be mitigated by factors like limits for Keep-Alive connections in web servers.

In TLS the issue can be completely avoided by disabling Triple-DES-based cipher suites. However Triple-DES is still supported by many servers because it's a compatibility option for old clients. Most notably Windows XP's own TLS implementation and applications using it (like Internet Explorer) support no stronger cipher modes. It remains to be seen whether SWEET32 will cause widespread deprecation of Triple-DES.


HEIST/TIME – Old timing attack gets new attention

At the Black Hat USA conference researchers presented an attack called HEIST. The attack combines compression-based attacks on TLS using the HTTP compression feature with a timing side-channel using Javascript.

However, almost all the pieces of the HEIST attack had been presented previously. The first compression-based attack on TLS was called CRIME, yet it wasn't very practical, as it used the TLS compression functionality that almost no one used anyway. BREACH then used the HTTP compression feature. An attack called TIME, presented at Black Hat EU 2013, provided the extension to Javascript-timing. However, unlike CRIME and BREACH, the TIME attack never got widespread attention. Therefore this attack scenario was forgotten and is now rediscovered. Nick Sullivan has summarized the history of these attacks.

Mitigation of this attack is difficult. The implementation of Same-Site Cookies can prevent compression attacks in some scenarios.


PAC and WPAD leak HTTPS URLs

A very old feature for proxy autoconfiguration can cause security issues for HTTPS connections. PAC and WPAD (Web Proxy Auto-Discovery) allow systems to automatically configure browser proxy settings. WPAD files allow Javascript code that gets executed on each URL request. This can be used to leak URLs via DNS requests. The WPAD specification file can be fetched over various methods, all of them without any protection.

Several researchers have recently independently described these weaknesses in WPAD. There were two talks at the Black Hat conference (1, 2) and one at Def Con one at Def Con.

WPAD was proposed as a draft to the IETF in 1999, but it never became an official RFC. But all major browsers still support it. Some browser vendors were not vulnerable to the attack because they stripped the URL, others have implemented similar protections in response to the recent findings.


Other news