HTTPS Bypassed On Windows, Mac, And Linux

this sucks

so don't log onto important accounts when not at home?
What should people who travel often do then?

>>55864860
>people still believe in security meme
Just don't use web for anything but entertainment. It's all ogre.

>>55864860
Can't read it atm since I'm at work, what does it say?

>>55864860
>http://www.valuewalk.com/2016/07/https-bypassed-windows-mac-linux/
>this attack only makes the full URL of visited websites available to the hacker
It's fucking nothing. Everyone knows wifi hotspots are insecure anyway.

>>55864953
URL leak by using proxy auto discovery. Just host an open hotspot and collect tokens to various services, they are often embedded into URL. Actual content isn't leaked.

>>55864953
HTTPS Bypassed On Windows, Mac, And Linux by Ali Raza

HTTPS was considered immune to hackers looking to track the websites visited by a user. A new hack breaks this HTTPS protection in Windows, Linux, and Mac systems. The hack can be carried by Wi-Fi hotspot operators, Ars Technica reports.

HTTPS encryption assured users that the addresses of the websites they visit could not be monitored or viewed by data snoopers and other such malicious users. However, a new hack has broken this encryption. This hack can be carried out on any network, most notably in Wi-Fi hotspots, where this encryption is most required.

This hack is possible by illicit usage of a feature called WPAD, which is short for Web Proxy Autodiscovery. Doing so will expose some browser requests to the code controlled by the attacker. The attacker can then view all the websites user visits. It is said that this exploit works in all browsers on every operating system. This HTTPS hack is scheduled to be unveiled in a Black Hast security conference in Las Vegas next week.

The enormity of this attack is still discussed. Although this attack only makes the full URL of visited websites available to the hacker, the consequences of that are too grave. This is because many websites and web services use URL to authenticate a user. For example, Google’s Dropbox uses a security token in the URL. Even some password-reset mechanisms use this token security technique. So despite the attacker gaining access only to the full URL, he or she can misuse that to great effect.

Itzik Kotler, co-founder of SafeBreach, is one of the scheduled speakers at the conference in Las Vegas next week and addressed this issue in an email. He said that this hack is of great concern, for people all over the world rely on HTTPS encryption in places where their LAN/Wi-Fi cannot be trusted. According to him, people using non-trusted networks are under threat when WPAD is enabled.

>>55864860
>using non-trusted networks
>not using vpn
It's like you're trying to get hacked

>>55864997
>For example, Google’s Dropbox uses a security token in the URL.
>Google's Dropbox
The fuck am I reading?

Web developer here.

If I put any secret codes in a POST request body instead, are they safe?

>>55864877
VPN or stunnel through your home connection.

>>55865032
>Web developer here
>Not knowing the difference between the different methods and when to use them

File: pizza-chris.gif (939KB, 500x282px) Image search: [Google]

939KB, 500x282px

>>55864997
>Google’s Dropbox

>>55864860
is this another redirect to similar site type of mitm?
user searches: google, attacker forwarding the traffic returns googlle

How about bsd?

>>55864860
>Not using vpn with killswitch.
>Proxy autodiscovery is disabled by default on mac.

>>55864877
use your browser through a ssh tunnel, maybe?

>>55864860
If you are using the URL to store secure information it sounds like a problem with implementation.
What stops a serious "Hacker" from taking a picture of your monitor on the "secure" website's address bar?

I don't care about this attack, because none of my sites would be effected. HTTPS and SSL are secure transport layers, not some bulletproof shroud that magically makes your poor design invulnerable to attack.

>>55864860
>only works on wi-fi owned or pwned by the attacker
>works on all OSes
Anyone who does anything mission critical in an open air environment and expects https to save them is retarded.

Also
>tokens in URL
>be sooper leet hacker
>use telephoto camera from across the street from coffee shop
>hack all the girls useless social networking accounts
>ransom for bitcoins
>open the door
>get on the floor
>everybody walks the dinosaur

File: le_beta_clap.gif (2MB, 246x437px) Image search: [Google]

2MB, 246x437px

>>55869301

>>55864860
>that pic
I'm seriously considering to try *BSD.
Thanks, Anon.

File: eren-cercen.jpg-large.jpg (203KB, 1024x1516px) Image search: [Google]

203KB, 1024x1516px

>>55870107
>I'm seriously considering to try *BSD.

Will you seriously consider that, if I tell you this is how that girl looks now?

FreeBSD, not even once.

>>55870965
>aging makes women look bad
consider me shocked

>>55864860
Fuck off. I already tried the bsd.
I'd rather be hacked.
It's probably just that the internet doesn't work at all using bsd.

>>55870965
She's a pigeon ? Gross.

File: ercen-ceren2.png (1MB, 1206x1184px) Image search: [Google]

1MB, 1206x1184px

>>55871013
Well, ageing and shoving food down her pie hole.

File: ercen-ceren-large.jpg (110KB, 1080x720px) Image search: [Google]

110KB, 1080x720px

>>55871107

File: ceren-ercen-bird.jpg (78KB, 960x720px) Image search: [Google]

78KB, 960x720px

From this:
http://www.bishopston.com/jamie/misc/bsd-daemonette/

To that
<----

>>55871093
xDDD

>>55870965
>>55871114
>>55871142
>>55871253
So this is what BSD does to people. Can she still be saved by introducing some Linux in her diet?

>>55864997
>Wi-Fi shit.
Yeah who cares. Everyone already knew Wi-Fi connections were insecure.

>>55864860
Do I have to worry about this on a private home wifi?

>>55871327
This is what happens when you use a cuck OS that uses a cuck license. Linux is the only salvation.

>>55873167
i love how any mention of BSD makes you crawl out of the woodworks

im sure the OP pic was carefully picked just for that

>>55873277
BSD license is extremely permissive though

>>55873312
i can guarantee you that if you mention BSD on any other thread in /g/ he will find the post and comment on it

>only works with wpad

so its something you have been able to exploit for fucking years? i am not impressed, you can already find ways around https by mitm the dns requests among other things, although it is getting harder and harder to pull it off successfully

>>55864997
>web proxy auto detect
Shit should never be enabled in the first place.

>using insecure networks
J E J

>>55873312
so's ur mom :6)

File: 1466917291247.png (25KB, 710x225px) Image search: [Google]

25KB, 710x225px

>>55873424
That's whwre you're wrong

File: nice.gif (1MB, 320x240px) Image search: [Google]

1MB, 320x240px

>>55873092
>tfw cucks spending a clean fortune on their phone plans in Canada
>b-but muh LTE speeds
>1GB usage allowance tho m8
>y-yea but wifi and muh LTE

mfw i just have an essentially unlimited 3G plan for fractions of the cost and never need to use some half assed wifi in starcucks

>>55864997
>This is because many websites and web services use URL to authenticate a user. For example, Google’s Dropbox uses a security token in the URL.
literally retarded

>>55864860
>needs WPAD to work
>Firefox doesn't use WPAD at all
gee, good thing I never fell for the chrome meme

>>55873528
How legit is this anon?

>>55873490
You think your LTE is more secure than Wi-Fi? That's cute.

>>55871114
I recognize that shitty cowboy bebop desktop.

>>55873940
not that guy but lte is more secure than wifi you dingus.

>>55874115
Compared to Ethernet?

>>55873636
>"Auto-detect proxy settings for this network"
not legit at all

>>55874232
Ain't that the unsafe option? Or am I confused?

>people using VPN are unaffected
whoop de fucking shit.

>>55865032
I would think so since the artie states they can obly only see the url. I'm not sure how POST data is send through. Maybe in the headers? If so it might be possible they also have access to those

>>55864903
you realise businesses use the internet to business right?

>HTTPS was considered immune to hackers looking to track the websites visited by a user.
First line. I stopped reading there. Laughably false and generally bad on so many levels.

>>55864997
>Google's Dropbox
>Google
>Dropbox

Kek

>>55874115
explain why. I bet you can't.

File: swannydabs.png (69KB, 234x334px) Image search: [Google]

69KB, 234x334px

mfw https bypass

>>55864860
Look at those linux nerds.

>>55864860
That's what they get for not using FREE (as in freedom) software.

>>55871114
is she lifting the keyboard with her hand or is it her gravitational pull?

>>55876714
good thing I'm a neet

File: p-roux-en-y-gastric-bypass.jpg (24KB, 325x365px) Image search: [Google]

24KB, 325x365px

As an American, the only bypass I care about is a stomach bypass.

>>55871114
>>55878342
>>55874085
that's a homestuck meme, it's not actually a woman doing "programming"

>>55873493
yep, at worst they should use a fragment identifier so it's not sent over in a fucking get request.

>>55871114
>>55878342
>>55874085
that's a homestuck meme, it's not actually a woman doing "programming"

>>55873364
DNS only gives the domain though, not the complete URL

Anyway why this should not work on BSD? Doesn't it support WPAD?

>>55873421
>implying a secure network is a thing

>>55878443
Damn that shit looks so, depressing.

>>55879438
It does if it doesn't leave the building. For all intents and purposes anyway.