14 DAY TRIAL // In a research project carried at Microsoft, developers broke numerous secure HTTPS connections using a man-in-the-middle attack with the aid of a specially configured proxy. Based on the results of this research, security experts from SecurityFocus revealed several vulnerabilities found in all major modern browsers.
The SecurityFocus advisory initially targeted Mozilla (which subsequently released a security update), but it was recently updated to reflect all major browsers like: Opera, Internet Explorer, Safari and Chrome.
Using Pretty-Bad-Proxy (PBP), three developers from Microsoft and a teaching assistant from Purdue's Computer Science department revealed several loopholes in browser behavior regarding HTTPS connections. They were able to inject HTML and scripting language inside a secure page, which lead to a breach inside the HTTPS connection without ever breaking the cryptographic scheme.
This way, they were able to steal secure data from the connection, fake a secure server, fake a secure page and impersonate an authenticated user in a server-client conversation. Regarding this issue, the developers said in their statement that “These vulnerabilities reflect the neglects in the design of modern browsers. […] Thus further (and more rigorous) evaluations of the HTTPS deployments in browsers appear to be necessary.”
According to the researchers, all major web browser companies were informed about this issue and have planned to patch their browsers. Until now, only Firefox was updated in June. Meanwhile, the rest of the browsers continue to be vulnerable against man-in-the-middle type of attacks in HTTPS connections.
In principle, the major flaw that cripples all browsers is that they are executing all error messages inside the secure environment of the page being called, so all requests and data can be sniffed and modified by PBP. If cookies are enabled and involved in the authentication process, credentials and account info can be intercepted and stolen.
The complete report from SecurityFocus can be found here and the Microsoft research here.
