Industry News

Researchers Find Hole in TLS, Can Now Snoop on Your Secure Traffic

Researchers at the Royal Holloway University of London have uncovered a range of methods to attack the TLS cryptographic protocol to expose encrypted data circulating between clients and servers.

According to the report, exploitation of the TLS protocol requires that the attacker be close to the target machine to detect small differences in the time at which TLS error messages appear on the network in response to attacker-generated cipher-text.

“Because of network jitter and other effects, the times observed by the attacker are noisy, and multiple samples of each time are needed to make the attacks reliable,” wrote the researchers in a blog post on the findings. “In their simplest form, our attacks can reliably recover a complete block of TLS-encrypted plaintext using about 223 TLS sessions, assuming the attacker is located on the same LAN as the machine being attacked and HMAC-SHA1 is used as TLS’s MAC algorithm.

TLS is currently used as the de-facto encryption mechanism for securing communications against man-in-the-middle attacks and traffic sniffing. It provides data confidentiality and integrity even when the user is sending sensitive information across insecure networks, such as unencrypted Wi-Fi or public wired networks.

Bottom-line: don’t rely on mathematics to safeguard your private data. When transferring critical information across a network, make sure you’re not doing this across public networks or while connected to wireless hotspots.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.