Cenzic 232 Patent
Paid Advertising
web application security lab

Side Channel Attacks in SSL

42 posts left until my last…

For those of you who may not have seen it there is a very good paper partially by Microsoft Research and partially by Indiana.edu called Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow. Initially it really upset me off that this paper was written, not because it’s not excellent, but because it’s partially what I was going to be speaking about at Blackhat. Alas… they came out with it first, and frankly, I think they did a much better job at slicing and dicing with the math. So once being upset by being beaten to the punch had worn off Josh Sokol and I had to change the presentation that we’ll be doing at Blackhat, and we’ll only be glossing over this as a result. But please check it out, it must have taken quite a while to build up those abuse cases.

Anyway, the reason I originally started thinking about this was because of something from Bruce Schneier I read a decade or so ago (I believe it was in Applied Cryptography). It basically said that in certain crypto systems you could tell certain things about the people involved. For instance, if you had one user who sent an encrypted message to two users who then sent the same message to four users who then sent it to 8 and so on… you might be able to infer a chain of command (or, just as likely - a really funny/crude joke that no one wants their bosses to find out about).

But when you’re talking about HTML, you have a lot of things that sort of act as subordinates in the same way as a chain of command might. For instance, HTML can load JavaScript, CSS, Objects, etc… those can load more JavaScript, Images, Bindings, etc… All of that has a certain behavior in the browser, and in one way or another can be detected. So the trick is how do you detect it? The Indiana paper does a good job of enumerating some of those possibilities, but there are a lot of other tricks an attacker could use as a man in the middle to reduce the noise on the wire. That’s what the presentation is largely about. Anyway, check out the paper!

9 Responses to “Side Channel Attacks in SSL”

  1. Me Says:

    What is that thing about 42 until your last?

  2. IHWAN Says:

    I also believe it was in Applied Cryptography :)
    thank u for information

  3. RSnake Says:

    @Me - just what it says. My blog ends in 42 more posts. 1000 seems like a nice round number. It’s a nice decimal and binary number at the same time. My blogging days are coming to an end. I’ll talk all about it when the time comes.

  4. The One (Hacking Snake) Says:

    Hi Dude, you cannot go out by this way, no matter if you like 1000 for the fact is be a nice decimal or binary number, I’ve follow you in your jorney, I’m so far away from you (Brazil - Sao Paulo), anyway visit your blog to got news about web app security is an important piece of my daily routines, so…. will be hard to hide the empty space after you go on guy…. try to think better, are your mission with us is really done? Think about. hugs []s and reagards from Brazil

  5. Me Says:

    i understand the “going in a blaze of glory thing”.

    But it is a shame. Your blog is very good and fun to read.

  6. RSnake Says:

    @The One - No, the mission of web application security is not done, but my blogging days on ha.ckers.org are soon over. There are more than enough sites out there talking about application security, and it’s time they deserve the credit for being important resources written by talented professionals. There’s no reason for me to continue the blog. I made a promise to myself that I’d quit when I got to 1000, and I try to never break my promises. :) But seriously, I had a lot of fun, but there was also a lot of drama. Now I’m just tired, and I think it’s time to do something else. I’m not disappearing completely and I’ll still hit up the conferences, I just don’t think the blog is for me anymore. It’s time for someone else to fill my shoes (and hopefully make less mistakes than I have in the process).

    @Me - They always say, leave on a good note. :) Thanks for the support. It’s not over yet though… Got 40ish posts to go.

  7. The One (HackingSnake) Says:

    @RSnake - When I got the nice opportunity to go in your conferences.. It`s will be a pleasure for me… anyway try to keep touchable and don’t forget.. You got a loyal soldier here in Brazil at your services, you`d teach me a lot of think.. a nice point of vision about web app`s and much others lesson that I had a proud of learned Now It`s time to enjoy your last 40 posts and wish you the best things in this world guy… success, heath and long life “God bless you”!…
    Yours : The One.

  8. RSnake Says:

    @The One - thank you, sir! I appreciate it. I’ll always be reachable, don’t worry. :)

  9. Thsunamy Says:

    @RSnake: What about 1024? It is much more suits for a computer-guy :)