For protection, we all heard the name of VPN, right? VPN is a service that allows accessing the internet and leaving the lowest possible footprint of yourself, ensuring your privacy. However, a new method of attack can now recover HTTP traffic that you send through a secure (encrypted) VPN connection. Of course, under certain conditions, not in all cases!
The name of the attack is quite charming – VORACLE. The attack was discovered by security researcher Ahamed Nafeez. The finding about the attack was presented at the Black Hat and DEF CON security conferences.
What is VORACLE?
To be honest, VORACLE isn’t a brand new attack method. Instead, it’s a combo and variation of some already-existing older cryptographic attacks like BREACH, TIME and CRIME.
In the previous attacks, researchers discovered that data was recoverable from TLS-encrypted connections if the compression of data happened before encrypting. Fixes for those attacks were out in 2012 and 2013 and since then, HTTP connection was safe.
What Nafeez discovered that the theoretical points of those attacks are still valid in the case of some VPN traffic types. He pointed out that the VPN clients/services that compress the HTTP web traffic before the encryption as a part of the connection are still vulnerable to those older attacks.
VORACLE can decrypt HTTP traffic sent via VPNs
According to Nafeez, VORACLE still allows an attacker to decrypt the original content of the HTTP traffic that’s going through the VPN connection. He explains that the aim of this attack is to leak secrets like cookies, page with sensitive info etc.
Nafeez also pointed out that VORACLE only works against the VPN services/clients that use the OpenVPN protocol as their core. OpenVPN is open-source and uses a default setting – compressing all the data before encryption via TLS and later, sending it via the VPN tunnel. Thus, it satisfies the conditions of the old attacks – BREACH, TIME and CRIME.
VORACLE is preventable
Despite VORACLE is so dangerous, it is still preventable in a very simple way. For example, some VPN services/clients allow modifying this setting to switch to a non-OpenVPN protocol.
Second, when surfing the net, users can decide not to surf websites that only offer HTTP. Thus, by only browsing the HTTPS sites, even if the attacker gets their hand on the traffic, it won’t be understandable to them.
Third, the attack doesn’t seem to be working in the case of Chromium-based browsers that split the HTTP requests in multiple parts like header and body. It means that even if you access HTTP sites using Chrome and other Chrome-based browsers, you won’t be susceptible to VORACLE.
TunnelBear removed the compression support for its OpenVPN-based servers. Private Internet Access also confirmed that they disabled the pre-compression back in 2014.
Stay safe on the internet!