VORACLE

A new attack named VORACLE can recover HTTP traffic sent via encrypted VPN connections under certain conditions.

The attack was discovered by security researcher Ahamed Nafeez, who presented his findings at the Black Hat and DEF CON security conferences held last week in Las Vegas.

VORACLE = CRIME for VPNs

VORACLE is not a new attack per-se, but a variation and mix of older cryptographic attacks such as CRIME, TIME, and BREACH.

In those previous attacks, researchers discovered that they could recover data from TLS-encrypted connections if the data was compressed before it was encrypted.

Fixes for those attacks were deployed in 2012 and 2013, respectively, and HTTPS connections have been safe ever since.

But Nafeez discovered that the theoretical points of those attacks were still valid when it came to some type of VPN traffic.

Nafeez says that VPN services/clients that compress HTTP web traffic before encrypting it as part of the VPN connection are still vulnerable to those older attacks.

VORACLE can be used to decrypt HTTP traffic sent via VPNs

"VORACLE allows an attacker to decrypt secrets from HTTP traffic sent through a VPN," Nafeez told Bleeping Computer in a private conversation today.

"The aim of the attack is to leak interesting secrets. This can be any cookies, pages with sensitive information, etc.," he added.

Nafeez says his VORACLE attack only works against VPN services/clients built on top of the OpenVPN protocol.

The reason is that the open-source OpenVPN protocol uses a default setting that compresses all data before encrypting it via TLS and later sending it via the VPN tunnel —hence satisfying the conditions of the old CRIME, TIME, and BREACH attacks.

According to Nafeez, all an attacker needs to do is to lure a user on an HTTP site. This site can be under his control, or a legitimate site where the attacker can execute malicious code —for example, via malvertising (malicious ads).

This allows the attacker to steal and decrypt "secrets" from that site, such as session cookies, which, in turn, let the hacker log into that website as the user.

VORACLE attacks can be prevented

But there are simple ways to prevent this. For starters, some VPN services/clients allow users to change the underlying VPN protocol, allowing users to switch to a non-OpenVPN protocol.

Second, users can stay away from HTTP websites, as HTTPS traffic sent via any VPN service/client is immune to VORACLE attacks.

Third, the attack does not work in Chromium-based browsers, where HTTP requests are split into multiple parts (header and body). Non-Chromium browsers, such as Firefox, are vulnerable because they send HTTP requests data in one big packet. This means that even if you access an HTTP site via an OpenVPN-based VPN service/client  via Chrome, the VORACLE attack won't work.

OpenVPN modifies docs page

Nafeez says he notified the OpenVPN project and some VPN providers about his findings. He says that following his report, the OpenVPN project has decided to add a more explicit warning in its documentation regarding the dangers of using pre-encryption compression.

But despite this, the OpenVPN project did not modify its default setting of compressing data before encrypting it as part of the VPN tunnel. This is because compressing data before the TLS encryption has performance benefits and a good reason why most VPN services/clients will continue to use this option.

Nonetheless, Nafeez says that at least one provider —TunnelBear— removed compression support from its OpenVPN-based servers following his report. Another one, Private Internet Access, told Nafeez that they disabled pre-encryption compression back in 2014.

To help users test VPN services/clients against VORACLE attacks, the researcher shared proof-of-concept code on GitHub. The slides from Nafeez's Black Hat and DEF CON presentation are also available here. The researcher also plans to release a whitepaper detailing the VORACLE attack in more depth.

UPDATE [August 16]: An ExpressVPN spokesperson has told Bleeping Computer that their service has also disabled compression to prevent VORACLE attacks. 

Related Articles:

Cisco Patches Its Operating Systems Against New IKE Crypto Attack

Many Bluetooth Implementations and OS Drivers Affected by Crypto Bug

Downloading 3rd Party OpenVPN Configs May Be Dangerous. Here's Why.

New Attack Recovers RSA Encryption Keys from EM Waves Within Seconds

Deal for 77% off a NordVPN 3 Year VPN Subscription