danger to HTTPS, doom to SPDY

Since the BREACH attack, it seems that there is no way to transport content securely in the HTTP world.

The BREACH arrack is a HTTP version of CRIME, which recovers encrypted message by analyzing compress ratio of different media. It is well-know that people can distinct picture from text by the compress ratio, however, before CRIME, there is no easy way to detect what exactly the information is by the ratio only. But the breach always exists. The word “faster” and “sunoru” have the same length, however, the entropy(binary) of “faster” is 2.58496, and the entropy of “sunoru” is 2.25163. So, if you know the origin length(6) of the words, and also get access of the entropy of the words, you can easily obtain rich information from the results. For a “prefect” compress algorithm with a observe-only way to get information, you can get how much time different alpha is included in each word, which, generally, is not so useful(But shouldn’t be public even so). But real world compress algorithm is NOT prefect, and real world environment is NOT observe only. You can send a message to the server to determine which real world compress method the server is using, and you can obtain much more information form the simple ratio if multiply requests are made by CRIME attack.

For HTTPS, it represents a danger for web pages with simple information. For example, some banks in China using number in a picture to show how much money you have, when the picture is compressed, it is pretty easy to obtain the real number the picture shows by compress ratio. By using a precomputed table, you can decrypt millions of those “money pictures” per second with a Macbook Air. So if you find your bank is transport money number in picture, you should be aware it may be a deliberate way to publish those information to the whole net.

However, for SPDY, your app may be cracked even without deliberate setups. SPDY’s speed is based on compressed headers, which include URL, cookie, and authority token. As client will send the header wherever people visit the same site, you just need to XSS the client to a static page(eg. a 404 page~), then you can obtain all the information in the header without any painful struggle. And when you get the header, you get the URL(so the complete browsing history is public), the cookie and authority token(so the log-in status of the personal), and all the content of page. So, it’s just like that you are visiting the page using HTTP without S.

Not only HTTPS and SPDY is effected, Tor, which uses gzip as it’s compression algorithm, is also affected. But it may be not so easy to crack Tor as it reuses TCP tunnel… SSH with compress can also be decrypted this way, however, it need some small skill and lucky to do the gzip guess as you cannot easily make the user resend things.

In conclusion, SPDY is just like clear text for a careful attacker, and HTTPS is not so secure anymore…

Good news is that Network working group finally find danger in compression, and decide not to support compression any more in TLS 1.3 draft-02. Have I said that is a good news? It seems not a pleasant one for those with limited network resources…