New HTTPS Attack Breaks Browser Security

Andrew Orr In the News

Hackers uncover a new attack that breaks HTTPS encryption, used for securing web traffic.  Due to the nature of HTTPS, this undermines security on macOS, Windows, and Linux.

Further Reading

Is Your Website Part of a Botnet?

Erasing Yourself From Websites Got a Little Easier

What is HTTPS?

Hypertext Transfer Protocol or HTTP is a technology that helps link web pages together. HTTPS, sometimes called HTTP over TLS, HTTP over SSL and HTTP Secure, is when web traffic uses Transport Layer Security or Secure Sockets Layer for encryption. When a website uses HTTPS, you know that the website is what it says it is, and not a fake website.

In the early days of the internet companies used HTTPS mainly for payment services like banking. Eventually, tech companies pushed for all websites to use HTTPS, especially the Electronic Frontier Foundation (EFF) which provides a browser extension.

HTTPS Attack

Itzik Kotler, cofounder, and CTO of security firm SafeBreach, told ArsTechnica:

“People rely on HTTPS to secure their communication even when the LAN/Wi-Fi cannot be trusted…we show that HTTPS cannot provide security when WPAD is enabled. Therefore, a lot of people are actually exposed to this attack when they engage in browsing via non-trusted networks.”

WPAD, short for Web Proxy Autodiscovery is a method by which web clients can find the URL of a configuration file called a Proxy Auto-Config (PAC) using DHCP and/or DNS discovery. Hackers can abuse WPAD in the attack to expose certain browser requests. The hacker can then see the whole URL of every website that you visit.

This exploit breaks almost any browser and operating system. Next week security researchers at BlackHat will demonstrate the attack in a presentation called Crippling HTTPS with Unholy PAC.

Black Hat’s website states:

“The speaker will share how his team initially deployed a WPAD experiment to test whether WPAD was still problematic or had been fixed by most software and OS vendors.”

The attack only affects the URL and not other components of HTTPS. This is still a big problem. For example, the OpenID standard uses the URL as a way for sites and services to authenticate their users. Another example is document sharing using Google Docs and Dropbox. These services work by sending the user a security token which is part of the URL.

Using malware in an attack is also possible. The hacker targets the network settings of a computer to use a malicious proxy. People affected by this version would not suspect anything. The URL field in the browser still shows HTTPS. However, if a hacker uses malware as part of the attack, the computer’s network configuration shows the attacker’s URL.


Right now there are no fixes. This exploit attacked the WPAD specification first created back in 1998. Companies making browsers and operating systems cannot easily fix it right now. Companies can achieve a quick fix by copying Microsoft’s Edge browser which uses the FindProxyForURL function. Users can technically disable WPAD, but they could not connect to any network that relies on WPAD.