Network operators can snoop on people's browsing habits and see any webpage they visit thanks to a newly uncovered HTTPS attack.
The attack works by bypassing the HTTPS encryption which is supposed to prevent this happening. HTTPS would normally prevent the operator seeing the URLs visited by users, but a new technique abuses Web Proxy Autodiscovery and exposes browser requests to any code the network owner wants to fling at it.
Itzik Kotler, CTO and co-founder, and Amit Klein, VP of security research, at security firm SafeBreach will demonstrate how the attack works at next week's Black Hat conference in a talk entitled Crippling HTTPS with Unholy PAC.
"We will demonstrate that, by forcing your browser/system to use a malicious PAC (Proxy AutoConfiguration) resource, it is possible to leak HTTPS URLs," the pair wrote on the Black Hat site.
"We present a comprehensive browser PAC feature matrix and elaborate more about this cross-platform (Linux, Windows, Mac) and cross-browser (IE, Chrome, Safari) threat."
This isn't the first time that the HTTPS protocol has allegedly been cracked. Documents released by whistleblower Edward Snowden showed that the US National Security Agency has been at it for years by exploiting certain variations of the Diffie-Hellman key exchange algorithm, a common way to exchange cryptographic keys over untrusted channels.
A story emerged earlier this year suggesting that internet users could bypass ISP blocks on torrent sharing and other media streaming sites of dubious legality simply by adding an 's' to the end of 'http' in the address.
Double legal trouble for Musk as he also faces civil lawsuit over renewed British pot-holer 'paedo' claims
Battery development could help boost performance of smartphones
Topological photonic chips promise a more robust option for scalable quantum computers
In quantum physics both the chicken and the egg can come first, claim University of Queensland researchers
Cause-and-effect is not always straightforward in quantum physics