Hi G33Ks, Approach exploits how HTTPS responses are delivered over transmission control protocol.
A demo planned for Wednesday will show how an ad hosted on nytimes.com could attack other HTTPS-protected sites. The HTTPS cryptographic scheme protecting millions of websites is vulnerable to a newly revived attack that exposes encrypted e-mail addresses, social security numbers, and other sensitive data even when attackers don't have the ability to monitor a targeted end user's Internet connection. The exploit is notable because it doesn't require a man-in-the-middle position <https://en.wikipedia.org/wiki/Man-in-the-middle_attack>. Instead, an end user need only encounter an innocuous-looking JavaScript file hidden in an Web advertisement or hosted directly on a webpage. The malicious code can then query a variety of pages protected by the secure sockets layer or transport layer security protocols <http://en.wikipedia.org/wiki/Transport_Layer_Security> and measure the precise file sizes of the encrypted data they transmit. As its name suggests, the HEIST technique—short for HTTP Encrypted Information can be Stolen Through TCP-Windows—works by exploiting the way HTTPS responses are delivered over the transmission control protocol <https://en.wikipedia.org/wiki/Transmission_Control_Protocol>, one of the Internet's most basic building blocks. Further:http://arstechnica.com/security/2016/08/new-attack-steals-ssns-e-mail-addresses-and-more-from-https-pages/ Thanks Naik -- You received this message because you are subscribed to the Google Groups "NFORCEIT" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send an email to [email protected]. Visit this group at https://groups.google.com/group/nforceit. For more options, visit https://groups.google.com/d/optout.
