Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

SSL, Gone in 30 Seconds - A BREACH Beyond CRIME

Black Hat via YouTube

Overview

Explore a groundbreaking hands-on talk that unveils new targeted techniques for retrieving encrypted secrets from HTTPS channels. Delve into the algorithm behind this browser-based attack, which can extract session identifiers, CSRF tokens, OAuth tokens, email addresses, and ViewState hidden fields in under 30 seconds. Learn how basic statistical analysis can be applied to extract data from dynamic pages, and discover practical mitigations to implement immediately. Gain insights into the vulnerability posture of various SaaS vendors and access the BREACH tool, released to help the community assess exposure levels and deploy appropriate protection measures. The 56-minute presentation covers compression overview, CRIME against response body, BREACH architecture and command & control, SSL length revelations, compression oracle, roadblocks, mitigations, and future work in this critical area of cybersecurity.

Syllabus

Intro
AGENDA
COMPRESSION OVERVIEW
A CRIME AGAINST THE RESPONSE BODY
BREACH / the ingredients
BREACH / architecture
BREACH / command & control
C&C/ logic
SSL REVEALS LENGTH
COMPRESSION ORACLE (IT)
THE ORACLE
YET MORE ROADBLOCKS
MITIGATIONS
FUTURE WORK

Taught by

Black Hat

Reviews

Start your review of SSL, Gone in 30 Seconds - A BREACH Beyond CRIME

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.