Sign in / up

back to article Spies rejoice! Gmail, Facebook Messenger BREACHed once again

Research pair Dimitris Karakostas and Dionysis Zindros have upgraded their attack (codenamed BREACH) that pierces the web's most common ciphers, and released a framework to help well-heeled hackers and state-sponsored spies spy on the likes of Facebook and Gmail. At Black Hat Asia, the pair demonstrated once again how secure …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Paratrooping Parrot
    Mushroom

    Some may complain "Why are people publishing details of exploits?" Thing is, I have a feeling that governments and *cough* NSA *cough* have probably been using these exploits.

    This is why using computer communications worry me. There is no way to keep a secret. :(

    3 0 Reply

    1. This post has been deleted by its author

      1. Mark 85
        Reply Icon

        If you are using a public free email service the Internet , I would automatically consider it compromised

        FTFY

        5 1 Reply
      2. allthecoolshortnamesweretaken
        Reply Icon

        Using public free e-mail service = sending postcards. EOF.

        5 1 Reply
  2. Anonymous Coward
    Anonymous Coward

    Same principle as in real life

    If you're a low profile target then you can protect yourself by being better secured than the average target.

    The higher your profile the more active your defence needs to be and the more you need to be aware that multiple threat layers exist including (or especially) the people you give privileged access to.

    Celebrities spend more on security than we do, and high profile web properties do the same.

    None of the principles are new. There are just more attack vectors now.

    5 0 Reply
    1. Elmer Phud
      Reply Icon

      Re: Same principle as in real life

      "Celebrities spend more on security than we do"

      They may spend more but it seems they are very lax on its implementation.

      4 0 Reply
  3. Anonymous Coward
    Anonymous Coward

    Good I don't read emails via HTTP(S)

    The browser is a silly platform for critical tasks. Too many things shared among everything that runs upon it.

    6 0 Reply
  4. cantankerous swineherd
    Headmaster

    "once again how secure traffic from popular web services" this is called cognitive dissonance. THE TRAFFIC ISN'T SECURE. it's not secure BECAUSE IT'S ON THE FUCKING INTERNET. does it take a stupid old fart to apprise you of this fact? ans=yes.

    1 4 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      The f******g Internet is just a TCP/IP network

      Traffic *can be secured*. The very problem is the equation "The Internet" = "www" = "HTTP". Plus "everything must run in a web *browser* ".

      "Browsers" and most "web application" would need a total redesign to make them truly secure, because they are based on a model designed to share information in a trusted environment, not to keep information secure in an hostile one.

      Unluckily since most web standards are in the hands of companies whose very reason of existence is to slurp data (and MS joined happily them, eventually), you'll never see truly secure design which would also cut themselves out of user data.

      0 0 Reply
  5. Crisp

    More illustrations by Randall Munroe please.

    Even if you have to lock him up in your basement.

    0 0 Reply
  6. TJ1

    Relies on Javascript

    1. have control of the victim's network and install interceptor/sniffer

    2. inject - into unauthenticated HTTP responses of some 3rd site - a Javascript

    3. Javascript makes cross-site probe requests to the target site

    3a. Javascript cannot read responses due to cross-origin policy block

    4. network sniffer intercepts probe responses and analyses them

    Yet another very good example of why using HTTPS for everything, having Javascript disabled by default, monitoring, and selectively enabling, are effective protections for many attack vectors like this.

    Browser add-ons like uMatrix, NoScript, etc. will all help.

    0 0 Reply
  7. Someone_Somewhere

    Meanwhile

    'Calomel SSL Validation' tells me that the forums here are unsafe/unsecured, 'Prevent writing passwords without SSL' has to be switched off if I want to log in here and although 'Plain Text Offenders' is coincidentally disabled at this moment I wouldn't be at all surprised to find that it red-flagged el Reg as well.

    /sigh/

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like