Hackers can bypass HTTPS protection on Windows, Linux and Mac PCs

HTTPS bypass allows hackers to snoop on Windows, Linux, and Mac users’ browsing habits

One of the main reason why all of us trust websites with HTTPS is because the surfing on such sites is invisible to hackers. Most of us are taught to believe that websites with HTTPS encryption are hacker and snooping proof. However, researchers have devised an attack that breaks this protection and bypasses the HTTPS protection allowing potential hackers to spy on you.

The attack works by bypassing the HTTPS encryption which is supposed to prevent this happening. HTTPS would normally prevent the operator seeing the URLs visited by users, but a new technique abuses Web Proxy Autodiscovery  and exposes browser requests to any code the network owner wants plug in. The bypass attack is specifically dangerous for those Windows, Linux and Mac users who use public Wi-Fi and public hotspots. The HTTPS bypass can also be used by your ISP provider to snoop directly on you without your knowledge.

Itzik Kotler, CTO and co-founder, and Amit Klein, VP of security research, at security firm SafeBreach will demonstrate how the attack works at next week’s Black Hat conference in a talk entitled Crippling HTTPS with Unholy PAC.
“People rely on HTTPS to secure their communication even when the LAN/Wi-Fi cannot be trusted (think public Wi-Fi/hotels/cafes/airports/restaurants, or compromised LAN in an organization),” Itzik Kotler, cofounder and CTO of security firm SafeBreach and one of the scheduled speakers, wrote in an e-mail. “We show that HTTPS cannot provide security when WPAD is enabled. Therefore, a lot of people are actually exposed to this attack when they engage in browsing via non-trusted networks.”
So next time you think browsing on a HTTPS-enabled website makes your browsing safe and private, do give this post a thought!

LEAVE A REPLY

Please enter your comment!
Please enter your name here