Security researchers at the Dutch University of Leuven demonstrated a new cyber attack technique that has experts stumped. What makes this technique so scary is that it identifies a vulnerability at the core protocol level of all of today ’s secure online traffic. What’s worse is that there are no patches, no fixes, no short term solutions. This hack is here to stay.
The use of SSL/TLS and certificates have been the basis of almost every secure transaction on the internet for decades. As an internet consuming society, we’ve just rounded the bend on making HTTPS, the SSL variant of HTTP, the default option for all web-traffic.
Then came a new attack, HEIST, and undermined all of that progress. This new approach uses a technique similar to that which the scientists at Bletchley Park (i.e Alan Turing) used to crack the Enigma machine during WWII. HEIST, like Alan Turing and Marian Rejewski's methods, involves known-plaintext. The attackers remove significant entropy from the encryption breaking by assuming certain known-plaintexts (K-PA). For Turing it was cribs like weather reports (i.e "WETTER”). For HEIST, it’s parameters like “?email=” and “&username,” combined with a few more modern techniques like compression and timing hacks. HEIST is a brilliant construction of several attack vectors, all working in concert.
What’s interesting about HEIST is not its parallels to history. What’s interesting is how deep the vulnerability is inside the infrastructure of the Internet. While many agree that we have some known structural problems, like the Root Certificate Authorities, technology vendors have insisted that alternative uses of SSL, either through pinning or self-signed certificates, can still be leveraged in a secure way. Well, HEIST proves that is not true. Patchwork, superficial solutions to security are no longer enough to withstand the intrinsic vulnerabilities in our protocols.
It would be easy to stop there and let the “doom and gloom” of HEIST sink in. But that’s not what the team at Uniken does. We have, for a long time, been working to come up with the next generation of secure protocols. We didn’t just patch the holes in protocols, we rebuilt them from the ground up.
How are we different? Typical internet requests treat connections equally. This leaves room for things like “the oracle” attack - one major component of HEIST. Tiny changes in requests leak tiny bits of information about the encryption. Put those bits together and you’ve got enough information to hack that connection. In standard encrypted communication like HTTPS, treating connections equally makes sense - encrypted channels are established before authentication can happen. With Uniken’s product REL-ID, this model is reversed. Device, application, and user identity have to be aligned before a channel is established. Moreover, complete information about the identity is always split. You can’t just hack the browser, like HEIST does. To hack REL-ID, you have to hack the device, the application, the user credentials, the channel, and the server… all at the same time. That’s what makes REL-ID so powerful.
Until REL-ID is embedded in every browser, HEIST will continue to be a source of risk for businesses and enterprises. Regardless of that, the Uniken team will continue to refine REL-ID and work to secure every connection we can. We can’t fix yesterday ’s technology, but we can provide you with tomorrow ’s.
If you’d like to know more about how Uniken’s REL-ID product revolutionizes online protocols, contact us.