BREACH Compression Attack Steals SSL Secrets

Posted by Unknown on Monday August 5, 2013 @11:31AM from the mod-gzip-considered-harmful dept.

msm1267 writes "A serious attack against ciphertext secrets buried inside HTTPS responses has prompted an advisory from Homeland Security. The BREACH attack is an offshoot of CRIME, which was thought dead and buried after it was disclosed in September. Released at last week's Black Hat USA 2013, BREACH enables an attacker to read encrypted messages over the Web by injecting plaintext into an HTTPS request and measuring compression changes. Researchers Angelo Prado, Neal Harris and Yoel Gluck demonstrated the attack against Outlook Web Access (OWA) at Black Hat. Once the Web application was opened and the Breach attack was launched, within 30 seconds the attackers had extracted the secret. 'We are currently unaware of a practical solution to this problem,' said the CERT advisory, released one day after the Black Hat presentation."

3 of 106 comments (clear)

Min score:

Reason:

Sort:

Re:Piece of Cake by Anonymous Coward · 2013-08-05 11:47 · Score: 3, Insightful

Yeah, no worries, 'cause the infrastructure providers and their NSA buddies aren't in the middle.
Re:Disable compression? by Anonymous Coward · 2013-08-05 11:52 · Score: 0, Insightful

Nevermind. RTFA for explanation.
Re:Seems pretty dangerous by complete+loony · 2013-08-05 15:53 · Score: 3, Insightful

So web servers need to disable gzip & deflate compression on any https page that might contain something sensitive? Sounds like an easy enough fix to me.

--
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.