Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

New VORACLE Attack Can Recover HTTP Data From Some VPN Connections (bleepingcomputer.com) 49

"A new attack named VORACLE can recover HTTP traffic sent via encrypted VPN connections under certain conditions," reports Bleeping Computer, citing research presented last week at the Black Hat and DEF CON security conferences. An anonymous reader writes: The conditions are that the VPN service/client uses the OpenVPN protocol and that the VPN app compresses the HTTP traffic before it encrypts it using TLS. To make matters worse, the OpenVPN protocol compresses all data by default before sending it via the VPN tunnel. At least one VPN provider, TunnelBear, has now updated its client to turn off the compression. [UPDATE: ExpressVPN has since also disabled compression to prevent VORACLE attacks.]

HTTPS traffic is safe, and only HTTP data sent via the VPN under these conditions can be recovered. Users can also stay safe by switching to another VPN protocol if their VPN client suppports multiple tunneling technologies.

In response to the security researcher's report, the OpenVPN project "has decided to add a more explicit warning in its documentation regarding the dangers of using pre-encryption compression."
This discussion has been archived. No new comments can be posted.

New VORACLE Attack Can Recover HTTP Data From Some VPN Connections

Comments Filter:
  • by BitterOak ( 537666 ) on Saturday August 18, 2018 @03:50PM (#57151118)
    A good encryption algorithm should be able to protect any data, regardless of whether or not it is compressed. If compressing data before encryption renders the encryption algorithm insecure, I would suggest the algorithm was weak to begin with. Perhaps better, newer algorithms are needed. I'd be wary of a solution that just says "turn off compression and you'll be fine."
    • by lsllll ( 830002 )

      A good encryption algorithm should be able to protect any data, regardless of whether or not it is compressed. If compressing data before encryption renders the encryption algorithm insecure, I would suggest the algorithm was weak to begin with. Perhaps better, newer algorithms are needed. I'd be wary of a solution that just says "turn off compression and you'll be fine."

      Huh? Neither algorithm is weak. Did you watch the slides? Each do their own thing well. This is a genius attack, in that it can brute force things like session cookies, passwords, etc.

      In a way it reminds me of SQL attacks that try to find table names by going through alphanumeric and underscores one character at a time until they get the whole table name and then do whatever they want once they have the table names.

    • by chill ( 34294 ) on Saturday August 18, 2018 @05:31PM (#57151542) Journal

      You're not understanding the attack. It isn't an attack on the encryption itself, but rather taking advantage of the fact that compression happens first and being able to inject some data. By injecting some data that is then compressed, and observing the change in resultant size, they can infer certain things about the encrypted payload.

      For example, if the plain text is "AAAABCDEF" a simple compression tool would turn that into "4ABCDEF" before encrypting. The size changed from 9 bytes to 7.

      If you can inject AAA and make it "AAAAAAABCDEF" which then compresses to "7ABCDEF", the size of the resulting encrypted string goes from 12 to 7.

      Both the 7 byte streams are perfectly encrypted, but I could now infer that multiple As are part of the plaintext.

      Yes, this takes the ability to inject data, hence luring to a compromised site. Yes, it takes a LOT of packets to do this, and it really only works on things like web cookies, which are 4K maximum and much smaller in practice.

      But is has nothing to do with the quality of the encryption algorithm.

      • Okay, I think I understand what you're saying, but it sounds like this could only happen if there is a very badly designed system which appends data from an untrusted source to data from a trusted source and compresses them together. It would seem a trivial fix would be to start the compression algorithm fresh whenever the source of the data changes.
        • by chill ( 34294 )

          It does rely on the ability of the bad guy to inject data and observe the change. Really only plain text stuff going thru a VPN, which almost always means HTTP.

          Chrome is immune to this, as it splits the header and body of plain requests into separate packets. Firefox sends them in the same packet, so it is not a mitigation. Safari, IE, Opera, Edge, etc. aren't mentioned in the slides.

          A fix would be to simple not compress header fields and only compress body data. A quick fix is to just toggle off compressio

        • by robbak ( 775424 )

          No, this is unavoidable if you compress and encrypt. If you do this, you will leak information about your encrypted data through the size of the cyphertext.

          The solution is just to never compress data that you are going to encrypt. You might be able to obfusticate matters by padding the compressed data to a standard size, but that only makes the task a little difficult - for instance, you could adjust the size of the compressed payload so your fiddling pushes it across the threshold to the next larger standa

        • by AHuxley ( 892839 )
          Find a brand that has fixed their VPN service.
        • by DarkOx ( 621550 ) on Sunday August 19, 2018 @05:50AM (#57153526) Journal

          What you don't understand is that you just described virtually every web page. This is essentially the same attacks that worked on SSL3.0 and TLS1.0 when compression was enabled.

          The reason it works is that the attacker has access to 99% (roughly) of the plain text. Lets say I want to discover you bank routing number on a web page. As the attacker I register myself and discover the size and all the non-dynamic content on the page. I can inject my own content say a short string of numeric characters and compress the data. I can than observe the change in size.

          Now if I am observing your network traffic and I know what site your pulling say based on the IP address. I can sit and look at the transfer size. When I see a server response the same size as one of my candidate compression tests; I now know at least one possible value for the dynamic content.

          Its not a problem with the encryption algorithm. The message would not be recoverable unless I already knew almost all of it. Without thousands of cipher texts I can even begin to work out the change content. TLS address this by padding the responses with a little random length data.The trouble is the plain protocol has no padding and the VPN does not either. This can be fixed easily but its going to have a negative performance impact.

      • Hence why in encryption, we typically pad the data stream to a fixed size regardless of input packet size. Yes, this kind of undermines the practicality of weaker (fast) compression but itâ(TM)s more secure. These kinds of attacks have been known about for quite a while and standard test questions in any encryption course.

      • If it really works like you describe it's a pretty far-fetched attack method though: the site must already be compromised, but not in a way that allows the attacker to simply read the messages to begin with. The likelyhood of that set of circumstances is about zero.

        • by chill ( 34294 )

          Well, I over-simplified. The *site* doesn't have to be compromised, thanks to the way the web works. Injected elements in something like ad rotation will do it. The attacker just has to have SOME way of injecting data into the stream.

          But, yes, it is a pretty unlikely scenario.

    • by MrL0G1C ( 867445 )

      FTA:
      "According to Nafeez, all an attacker needs to do is to lure a user on an HTTP site. This site can be under his control, or a legitimate site where the attacker can execute malicious code â"for example, via malvertising (malicious ads).

      This allows the attacker to steal and decrypt "secrets" from that site, such as session cookies, which, in turn, let the hacker log into that website as the user."

      Doesn't sound like much to worry about to me, the hacker can only get data from sites under their contro

  • by whoever57 ( 658626 ) on Saturday August 18, 2018 @04:11PM (#57151182) Journal

    "According to Nafeez, all an attacker needs to do is to lure a user on an HTTP site. This site can be under his control, or a legitimate site where the attacker can execute malicious code â"for example, via malvertising (malicious ads).

    This allows the attacker to steal and decrypt "secrets" from that site, such as session cookies, which, in turn, let the hacker log into that website as the user."

    If I understand this correctly, the user has to visit a http: site under the control of the attacker and then the attacker can grab secrets associated with that site?

    • by lsllll ( 830002 ) on Saturday August 18, 2018 @04:25PM (#57151244)
      All the attacker needs is to be able to inject something into the communication stream, pre-compression, and be able to monitor the length of the packets being sent back and forth. Over time, given that the same information is being sent over and over (think cookies), the attacker can then brute force the contents.
    • Javascript can easily trigger GET & POST requests for other domains. Add a test sequence to the url or post body while a MITM attack is watching the compressed size of the packets. If it compresses better the test sequence must appear somewhere else in the request bytes sent to the server. See also BREACH & CRIME.
      • Javascript can easily trigger GET & POST requests for other domains.

        So that means that to attack, I must:
        1. Lure someone to a http endpoint that I control.
        2. Be able to watch the encrypted traffic.

        So, basically, the answer is to bypass the VPN for http endpoints. You should not be sending or receiving anything secure to http websites anyway.

  • It seems that the attack requires the victim to load the same page many times, in order to measure differences in packet length? In real life, how often one visits the same page (and this page doesn't change)? If I understand this correctly, the attack will be very slow in real life, apart from some specific cases where user visits a website which reloads itself continuously.

    Also, in this day and age, would anyone trust authenticated sites which do not use https? These sites themselves are the main problem.

    • by Anonymous Coward

      A malicious ad can just issue 256 async page requests and wait for them all to return, and then choose the one with the shortest payload as the next letter of the password (because it compresses better). It repeats that 8x, and then it has your password before you even notice that it was using bandwidth.

      • by hazard ( 2541 )

        You mean it is possible to force loading of the parent URL from cross-domain child? I was under impression that it won't work without specific code to support that on the parent side.

    • by AHuxley ( 892839 )
      The security services are getting into and around VPN products.
      Bullrun (decryption program) https://en.wikipedia.org/wiki/... [wikipedia.org]
      The security services like collect/to exfiltrate/coerce private keys. Then its just real time collection. US brands offering pre-encryption access to police/US gov/mil.
      ie getting both ways in with Key Provisioning, Key Recovery. The other method is just to create and approve junk crypto with the US gov/mil as the only "creator" under the cover of cybersecurity best practice.
  • My AirVPN configs have had "comp-lzo no" in it since I've been using them so no worries about that. Looking up more info, it seems some of the AirVPN ovpn files generated for specific devices have it enabled because it would otherwise not work on that device (eh what?), but they still have lzo compression disabled on their server end so it is not used regardless.

    Source for this info: https://airvpn.org/topic/29036... [airvpn.org]

    • by nawcom ( 941663 )

      And I'll just add that it's annoying that on neither TFA or on this /. post is the actual setting comp-lzo specifically mentioned. You have to interpret the patch diff linked in TFA.

      To disable lzo compression, make sure "comp-lzo no" is included in the config as mentioned in my parent post.

The trouble with being punctual is that nobody's there to appreciate it. -- Franklin P. Jones

Working...