
New attack steals SSNs, e-mail addresses, and more from HTTPS pages - jvannistelrooy
http://arstechnica.com/security/2016/08/new-attack-steals-ssns-e-mail-addresses-and-more-from-https-pages/
======
tremon
This article is based on a BlackHat talk (also linked in article):
[https://www.blackhat.com/us-16/briefings/schedule/#heist-
htt...](https://www.blackhat.com/us-16/briefings/schedule/#heist-http-
encrypted-information-can-be-stolen-through-tcp-windows-3379)

------
joveian
Summary: side channel via new APIs Resource Timing and Fetch allow BREACH or
CRIME to be implemented via third party cookies. Disabling third party cookies
prevents this attack.

~~~
turbohedgehog
What about disabling those APIs?

------
drzaiusapelord
>Because the compression used by just about every website works by eliminating
repetitions of text strings, correct guesses result in no appreciable increase
in data size while incorrect guesses cause the response to grow larger.

Frankly, I'm a little surprised that popular encryption schemes don't pepper
the data with some random noise the client would know how to filter out.

------
anonbanker
Moxie's "SSL is a joke"[0] talk in 2011 keeps staying relevant after all these
years.

0\.
[https://www.youtube.com/watch?v=Z7Wl2FW2TcA](https://www.youtube.com/watch?v=Z7Wl2FW2TcA)

------
hexane360
What's the consensus on a website owner preventing this? An end user?

~~~
babuskov
User: Disable 3rd party cookies in the browser?

