Information Leakage in a Cisco VPN Stream [4C3-799]
Austin Klasa and Daniel Sokoler
Making the Internet Fast Again…At The Cost of Security There is a relatively new suite of performance improving communication protocols being broadly adopted on the Internet such as SPDY, HTTP/2 and QUIC. These protocols are being rapidly implemented to improve the performance of the Internet. More than 10% of the top 1 Million websites are already using some of these technologies, including much of the 10 highest traffic sites. In this talk, we will look specifically at a vulnerability in Google’s QUIC (Quick UDP Internet Connections, pronounced quick) protocol. QUIC is used in all Google services and exclusively in Chrome with over 1 billion monthly users using QUIC worldwide. Specifically, we will highlight over optimization in QUIC’s implementation of AES-GCM exposing the length for messages under 300 bytes. We take this vulnerability in QUIC and apply it to build a plausible online attack against the largest free, e-mail provider.