Network operators can snoop on people's browsing habits and see any webpage they visit thanks to a newly uncovered HTTPS attack.
The attack works by bypassing the HTTPS encryption which is supposed to prevent this happening. HTTPS would normally prevent the operator seeing the URLs visited by users, but a new technique abuses Web Proxy Autodiscovery and exposes browser requests to any code the network owner wants to fling at it.
Itzik Kotler, CTO and co-founder, and Amit Klein, VP of security research, at security firm SafeBreach will demonstrate how the attack works at next week's Black Hat conference in a talk entitled Crippling HTTPS with Unholy PAC.
"We will demonstrate that, by forcing your browser/system to use a malicious PAC (Proxy AutoConfiguration) resource, it is possible to leak HTTPS URLs," the pair wrote on the Black Hat site.
"We present a comprehensive browser PAC feature matrix and elaborate more about this cross-platform (Linux, Windows, Mac) and cross-browser (IE, Chrome, Safari) threat."
This isn't the first time that the HTTPS protocol has allegedly been cracked. Documents released by whistleblower Edward Snowden showed that the US National Security Agency has been at it for years by exploiting certain variations of the Diffie-Hellman key exchange algorithm, a common way to exchange cryptographic keys over untrusted channels.
A story emerged earlier this year suggesting that internet users could bypass ISP blocks on torrent sharing and other media streaming sites of dubious legality simply by adding an 's' to the end of 'http' in the address.
Users are told that their non-existent 'iPhoneID' is expiring soon
Expansion of SDK intended to expand Amazon Alexa ecosystem
Locky returns from a prolonged rest with two new variants
AMD lambasted over Radeon RX Vega pricing that will add an extra £100 to RX Vega 56 and 64 graphics cards
Company accused of failing to tell anyone that the launch prices were only introductory offers