Slashdot Mirror

← Back to Stories (view on slashdot.org)

BREACH Compression Attack Steals SSL Secrets

Posted by Unknown on from the mod-gzip-considered-harmful dept.

msm1267 writes "A serious attack against ciphertext secrets buried inside HTTPS responses has prompted an advisory from Homeland Security. The BREACH attack is an offshoot of CRIME, which was thought dead and buried after it was disclosed in September. Released at last week's Black Hat USA 2013, BREACH enables an attacker to read encrypted messages over the Web by injecting plaintext into an HTTPS request and measuring compression changes. Researchers Angelo Prado, Neal Harris and Yoel Gluck demonstrated the attack against Outlook Web Access (OWA) at Black Hat. Once the Web application was opened and the Breach attack was launched, within 30 seconds the attackers had extracted the secret. 'We are currently unaware of a practical solution to this problem,' said the CERT advisory, released one day after the Black Hat presentation."

71 of 106 comments (clear)

  1. NSA go talk to those CERT boys!!! by icebike · · Score: 2

    Those guys are giving away all your exploits.

    --
    Sig Battery depleted. Reverting to safe mode.
    1. Re:NSA go talk to those CERT boys!!! by ls671 · · Score: 1

      Already done the talk a long time ago.

      --
      Everything I write is lies, read between the lines.
  2. Piece of Cake by rotorbudd · · Score: 2

    Lets see, gotta have man in the middle AND requires the attacker and victim to be on the same network.
    Piece of cake!

    --
    A bullet may have your name on it, but artillery is addressed to " Whom It May concern"
    1. Re:Piece of Cake by Manfre · · Score: 2

      Lets see, gotta have man in the middle AND requires the attacker and victim to be on the same network.
      Piece of cake!

      If some one manages to wire in to my network, they won't need to bother with this exploit. They'll have a lot more access.

    2. Re:Piece of Cake by Anonymous Coward · · Score: 3, Insightful

      Yeah, no worries, 'cause the infrastructure providers and their NSA buddies aren't in the middle.

    3. Re:Piece of Cake by DarkOx · · Score: 1

      I might be missing the obvious but I don't see the *need* to be on the same network. A couple nailed up ARP entries on your next hope router, a nailed up arp on a separate router with some NATs all at your ISP should enable your favorite three letter agency to this from the comfort of their Washington offices.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    4. Re:Piece of Cake by ls671 · · Score: 1

      Wouldn't just one compromised machine on your wired network fit the bill?

      --
      Everything I write is lies, read between the lines.
    5. Re:Piece of Cake by phantomfive · · Score: 5, Informative
      Here's the list of requirements from CERT. All of these must be true for the attack to work. From this list, a creative person could think of many ways a website could avoid this exploit, but it's harder for the client.

      1. HTTPS-enabled endpoint (ideally with stream ciphers like RC4, although the attack can be made to work with adaptive padding for block ciphers).
      2. The attacker must be able to measure the size of HTTPS responses.
      3. Use of HTTP-level compression (e.g. gzip).
      4. A request parameter that is reflected in the response body.
      5. A static secret in the body (e.g. CSRF token, sessionId, VIEWSTATE, PII, etc.) that can be bootstrapped (either first/last two characters are predictable and/or the secret is padded with something like KnownSecretVariableName="".
      6. An otherwise static or relatively static response. Dynamic pages do not defeat the attack, but make it much more expensive.

      --
      "First they came for the slanderers and i said nothing."
    6. Re:Piece of Cake by imikem · · Score: 1

      Not on a switched network unless you get on a specially configured port. It has been a long time since most wired networks had shared access. Wireless however is generally a shared medium.

      --
      Perscriptio in manibus tabellariorum est.
    7. Re:Piece of Cake by viperidaenz · · Score: 4, Informative

      Client protection is simple. Disable HTTP content compression using the Accept-Encoding HTTP request header.

    8. Re:Piece of Cake by skids · · Score: 1

      It's actually rather rare, even these days, for a switched network to be properly configured to protect against MAC flooding attacks. Actually, it's probably more common in enterprise setups for the WiFi to be more secure than the wired, since WPA-Enterprise is getting pretty common.

      --
      Someone had to do it.
    9. Re:Piece of Cake by Score+Whore · · Score: 3, Funny

      Same network? Like the internet?

      *head explodes*

      WTF? Do you happen to know the etymology of "internet"?

    10. Re:Piece of Cake by pmontra · · Score: 1

      Any public wifi network will do, at restaurants, conferences, trains, airports etc. Remember firesheep? Where that worked this will work too.

    11. Re:Piece of Cake by phantomfive · · Score: 1

      ok, how do you do that? Or are you talking about a source code modification?

      --
      "First they came for the slanderers and i said nothing."
    12. Re:Piece of Cake by Anonymous Coward · · Score: 2

      go to about:config in and modify the setting for network.http.accept-encoding?

    13. Re:Piece of Cake by TheRaven64 · · Score: 1

      If you have a managed switch, sure. If you have a cheap OTS switch, then you won't even get a notification that one of the nodes is doing an ARP flooding attack on the switch...

      --
      I am TheRaven on Soylent News
    14. Re:Piece of Cake by Anonymous Coward · · Score: 4, Informative

      what do i modify it to?

      gzip;q=0,deflate;q=0

  3. Verisign Insurance by nemesisrocks · · Score: 1

    Perhaps Verisign can offer some form of overpriced "insurance" to make customers feel safer on the Internets. I'm sure it'll be thrown in for "free" with a "SecureSite Ultimate" package, for a mere $1500! GoDaddy will no doubt follow suit.

  4. WiFi by the+eric+conspiracy · · Score: 1

    So if sounds like this could be practical on a WiFi network??

  5. Seems pretty dangerous by mstefanro · · Score: 5, Interesting

    This is quite an ingenious attack, but I am very surprised it has taken people so long to find it, as it is very straightforward and easy to understand conceptually. Makes you wonder "how did I not think of that".

    Although it may seem like the requirements of a successful attack are difficult to achieve, this may not be the case.
    It is usually very easy to inject some plain-text in the source code of webpages.

    On facebook:
    https://www.facebook.com/photo.php/INJECT_WHATEVER_YOU_WANT_HERE/
    If you view the source of that URL you can see the text "INJECT_WHATEVER_YOU_WANT_HERE" appears 3 times in the source code.
    By appending the query string, on youtube:
    https://www.youtube.com/watch?v=hLkugwOYbFw&INJECT_WHATEVER_YOU_WANT_HERE
    And on google:
    https://www.google.com/?INJECT_WHATEVER_YOU_WANT_HERE

    That means that an attacker can extract secret information from a lot of the HTTPS pages that you're visiting.

    When I first read about this attack, the first fix that came into my mind was to just append /* [random text of random size] */ to all text/html responses.
      But this may cause troubles: if the random padding is too large, the purpose of compression
    is defeated. If it is too small, workarounds may be found.

    Maybe it is time to start thinking of algorithms that perform compression and encryption together, not separately?

    1. Re: Seems pretty dangerous by mstefanro · · Score: 4, Informative

      This attack has little to do with SSL itself or the cryptosystems used. It's more about the preservation of size when encrypting. Combined with compression, information about the amount of entropy in the plaintext is leaked. If you are allowed to manipulate parts of the plaintext a lot of times, then amount of entropy leakage provides with an answer to the question "does the injected substring appear anywhere else in the plaintext?".

    2. Re:Seems pretty dangerous by mstefanro · · Score: 1

      Are the governments doing more powerful research than the rest of the world combined?

    3. Re:Seems pretty dangerous by Rockoon · · Score: 1

      SO,how about fixing the compression ratio and padding more when compression is more efficient to mask the actual secret?

      ..and what ratio would that be?

      You seem to be thinking that everything can be compressed.

      --
      "His name was James Damore."
    4. Re:Seems pretty dangerous by rtb61 · · Score: 2

      Of course is a shift to a broadband world, simply drop the compression and just go with the encryption. If your are compressing to save bandwidth and then padding to secure the compression, which not only takes up bandwidth but initial compute cycles, simply drop the compression and cut out the point of attack.

      --
      Chaos - everything, everywhere, everywhen
    5. Re:Seems pretty dangerous by complete+loony · · Score: 3, Insightful

      So web servers need to disable gzip & deflate compression on any https page that might contain something sensitive? Sounds like an easy enough fix to me.

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
    6. Re:Seems pretty dangerous by ArsenneLupin · · Score: 1

      And cookies would be protected (normally...) as they are included in the header (not compressed) rather than the body.

  6. Re:So what exactly is required for this to work? by mstefanro · · Score: 2

    They just make you visit a malicious website, at which point they can force you to make as many HTTPS requests as they want. They use img src IIRC.

  7. Re:Sending secrets again by mstefanro · · Score: 1

    Some information simply does not change from one request to the other. In case of facebook, my name appears on the top blue bar on every page. An attacker can therefore extract my name using this technique.

  8. Why use HTTP Compression? by ebno-10db · · Score: 1

    FTA: "mitigations include disabling HTTP compression"

    What's the point of HTTP compression anyway? Text is a small part of the bandwidth, and most other stuff (pictures, etc.) are already kept/stored/transferred in highly compressed formats like JPEG. Trying to compress files like that does little or no good. What am I missing here?

    1. Re:Why use HTTP Compression? by mstefanro · · Score: 4, Informative

      Open the Net panel of Firebug on this page and then refresh it a couple of times. Order the HTTP requests by Size. You will see that the HTML of this page is takes the vast majority of bandwidth. Images are simply a "304 Not modified", whereas the HTML is a "200 OK" of ~41KB at this time.
      So in case of Slashdot, HTML is the bandwidth bottleneck, not images.

    2. Re:Why use HTTP Compression? by sexconker · · Score: 1

      Open the Net panel of Firebug on this page and then refresh it a couple of times. Order the HTTP requests by Size. You will see that the HTML of this page is takes the vast majority of bandwidth. Images are simply a "304 Not modified", whereas the HTML is a "200 OK" of ~41KB at this time.
      So in case of Slashdot, HTML is the bandwidth bottleneck, not images.

      IN the case of Slashdot, there is no bandwidth bottleneck. It's the miles of shitty, shitty, Javascript that make everything turn to shit.
      Browse the web without Javascript and with an ad blocker. It's like moving from dialup to broadband.

    3. Re:Why use HTTP Compression? by Anonymous Coward · · Score: 2, Interesting

      You can start to figure out how to render the page as soon as you have the HTML (and javascript, css etc.). It's on the critical path, as the HTML is what tells you what else to download, like images. Any speed-up in transferring the HTML directly leads to lower latency on loading a webpage. Text compresses very well so the reduction is significant. The text is much larger than you think for large pages or even for small pages when you include javascript, css and so on. Even http headers are now being compressed and that on it's own turns out to be worthwhile. This is especially significant on mobile where bandwidth is low, latency is high and every bit transferred costs money (if you are not on an unlimited plan) and drains the battery.

    4. Re:Why use HTTP Compression? by mstefanro · · Score: 1

      If 90% of slashdot's traffic is used to send HTML, then that is their bottleneck,
      and it's where it is most effective to apply compression (Amdahl's law).

    5. Re:Why use HTTP Compression? by Cramer · · Score: 1

      You've not looked at many modern web "applications", have you? The amount of javascript, style sheets, and html markup is ENORMOUS. It's common for sites to save 50-75% of bandwidth enabling compression. (for sites that aren't primarily images, etc.)

    6. Re:Why use HTTP Compression? by Anonymous Coward · · Score: 4, Funny

      Browse the web without Javascript and with an ad blocker. It's like moving from dialup to broadband.

      While I loathe JavaScript on a professional level, I gotta say: It's time to give up the Lynx browser. There can't be that many interesting Gopher sites left!

    7. Re:Why use HTTP Compression? by yamum · · Score: 1

      Amdahl's law?

    8. Re:Why use HTTP Compression? by philip.paradis · · Score: 1

      Amdahl's law

      --
      Write failed: Broken pipe
    9. Re:Why use HTTP Compression? by Ash-Fox · · Score: 1

      Amdahl's law?

      More information available here: http://bit.ly/196JZ2u

      --
      Change is certain; progress is not obligatory.
    10. Re:Why use HTTP Compression? by yamum · · Score: 1

      I know this. How is it related to compression?

    11. Re:Why use HTTP Compression? by philip.paradis · · Score: 2

      I believe you missed the key phrase "where it is most effective." The first sentence of the linked article:

      Amdahl's law, also known as Amdahl's argument,[1] is used to find the maximum expected improvement to an overall system when only part of the system is improved.

      The reference was to the utility of compression in this case, not the mechanics of it.

      --
      Write failed: Broken pipe
    12. Re:Why use HTTP Compression? by yamum · · Score: 1

      mod parent up!

    13. Re: Why use HTTP Compression? by K.+S.+Kyosuke · · Score: 1

      If you don't care to think about security, that is.

      Why is this such a big deal? Is it a problem to transfer the large static data compressed and then splice the sensitive information into the DOM using JS by making small highly secure HTTPS transfers that avoid compression? Given how the "single-page web applications" are becoming commonplace, this sounds like an obvious idea to me.

      --
      Ezekiel 23:20
    14. Re:Why use HTTP Compression? by sexconker · · Score: 1

      Browse the web without Javascript and with an ad blocker. It's like moving from dialup to broadband.

      While I loathe JavaScript on a professional level, I gotta say: It's time to give up the Lynx browser. There can't be that many interesting Gopher sites left!

      NoScript is your friend. Allow sane shit, block tracking and advertising horseshit.
      Then slap Greasemonkey on there and run your own scripts to replace ugly/shitty scripts.

    15. Re:Why use HTTP Compression? by mcgrew · · Score: 1

      Ran across your comment while metamoderating and modded you down for that shortened URL. Short URLs are not to be trusted, you could send people to goatse or even malware. It's OK in a sig because of space limitations, but completely unacceptable in a comment. If the link's not a disgusting troll repost the actual URL of whatever you're linking and don't use stupid URL shorteners in comments. I metamod almost daily and always mod short URLs as "troll"; I'm not stupid enough to click something suspicious like that.

      --
      Free Martian Whores!
    16. Re:Why use HTTP Compression? by Ash-Fox · · Score: 1

      I'm not stupid enough to click something suspicious like that.

      What I took from this is that you're "stupid enough" not to know how to preview short URLs.

      --
      Change is certain; progress is not obligatory.
    17. Re:Why use HTTP Compression? by mcgrew · · Score: 1

      There's no more reason to than there is to post shortened URLs in the first place. Not going through the trouble and I shouldn't have to.

      --
      Free Martian Whores!
    18. Re:Why use HTTP Compression? by Ash-Fox · · Score: 1

      I've used it to avoid Slashdot's lameness filter, which has recently been fairly hard on me.

      --
      Change is certain; progress is not obligatory.
    19. Re:Why use HTTP Compression? by mcgrew · · Score: 1

      How would a short URL defeat the lame filters? That seems backwards; a long URL of lowercase letters might possibly defeat the SHOUTING filter and the "not enough characters per line" filter. You have me puzzled.

      --
      Free Martian Whores!
  9. Security 101 by dog77 · · Score: 1

    It should be security 101 that you never send your secrets, just send proof that you know the secret.

    1. Re:Security 101 by Agent+ME · · Score: 1

      This attack could be used by an attacker to figure out your Facebook username for example. Should Facebook avoid sending your username in pages to you? And then sometimes you actually need to tell the client a secret they have to know, like an anti-CSRF token.

    2. Re:Security 101 by viperidaenz · · Score: 1

      If the proof you send that you know the secret doesn't change, that proof becomes the secret.

    3. Re:Security 101 by dog77 · · Score: 1

      For a given https connection, each side can prove to the other that they have knowledge of the authentication cookie, without sending their part of that knowledge. There are probably many ways this could be done, and I am not going to pretend I know the best way, but here is one way. Each side sends random challenges as part of the connection establishment. Each side receives the challenge and encrypts it using the public key generated at the time of the authentication cookie establishment. The challenge response is embedded in the first http request and response. There is some overhead and latency, but next to the TLS/SSL, this is minor, and also reusing connection becomes more important, or other ideas like Google's Quic protocol make even more sense.

    4. Re:Security 101 by dog77 · · Score: 1

      No it does not, because you can't use it again. At best you call it a one time secret.

    5. Re:Security 101 by gl4ss · · Score: 1

      the access token is in every request going to the direction of the server.. it's the same.

      --
      world was created 5 seconds before this post as it is.
  10. Re:Disable compression? by The+Wild+Norseman · · Score: 4, Funny

    Nevermind. RTFA for explanation.

    See? Text compression in action!

    --
    "A government is a body of people usually -- notably -- ungoverned." -Shepherd Book
  11. BREACH = CRIME by WaffleMonster · · Score: 1

    Amused by notion one would expect a different outcome with HTTP layer vs TLS layer compression. In every way that matters it is exactly same issue only this time attack analysis is limited to response body.

    Also have some trouble with assertion "it is very common to use gzip at the HTTP level." For static assets sure however I expect numbers for dynamic content to be a much different story.

    1. Re:BREACH = CRIME by Covener · · Score: 1

      Also have some trouble with assertion "it is very common to use gzip at the HTTP level." For static assets sure however I expect numbers for dynamic content to be a much different story.

      It's in fact very common for dynamic content.

  12. Re:Sending secrets again by viperidaenz · · Score: 1

    There are already SSO products out there that constantly change the value of the session cookie.

  13. Re:Sending secrets again by WaffleMonster · · Score: 1

    How about we don't send the same secret every freaking time? Maybe sign the message with the secret, or just trust that the darn TLS session is doing its job?

    If any content (not just secrets) in the response can be altered as a result of the request the compression algorithm can be leveraged to leak information about the response.

  14. Re:SSL is a weak crypto protocol by WaffleMonster · · Score: 2

    My personal view is that SSL provides adequate protection against casual passive observer. It would be very useful if we had means of communicating securely on the Internet, but we do not.

    Go ahead and blame the technology for gross misuse and predictable outcome of errecting global trust anchors. SSL is plenty secure when used properly.

  15. Compress sensitive strings in separate blocks. by complete+loony · · Score: 2

    The DEFLATE and gzip formats allows multiple blocks of compressed data as well as blocks containing literals with no compression. Plus, just because the default implementation always looks for duplicate strings, doesn't mean you always have to do so. While it would add a heck of a lot of complexity, it should be possible for a web server to ignore duplicates that occur in sensitive strings, and output them in literal blocks so that they don't effect the frequency data of the rest of the stream. All without requiring any changes to browser implementations. This is far from simple, but could probably be done in a generic way for well known http headers.

    --
    09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
    1. Re:Compress sensitive strings in separate blocks. by complete+loony · · Score: 1

      CRIME was about TLS and detecting the request. BREACH is about detecting something about the response, that could be in the header, or not.

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
    2. Re:Compress sensitive strings in separate blocks. by Covener · · Score: 1

      Cannot be in the header, since the headers are not compressed in HTTP.

    3. Re:Compress sensitive strings in separate blocks. by complete+loony · · Score: 1

      I specifically said that this change would be complicated. But it could be done with a set of configurable regular expressions, or new server side language semantics to indicate which strings were sensitive.

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
  16. Re:Sending secrets again by dog77 · · Score: 1

    My understanding is that the attacker can't alter the secret, but they control the URL of the request, and try to alter so that as the URL more closely matches the secret, the overall request and response compresses to a smaller size. So there is nothing really of value until the attacker gets the secret, since the attacker is the one creating the request (i.e. the URL).

  17. Elliptic Curve Cryptography is immune by Anonymous Coward · · Score: 1

    The CERT advisory is wrong.
    “There’s a small, but definite chance that RSA and non-ECC Diffie-Hellman will not be usable for security purposes within two to five years”

    The sooner the world switches to ECC the better.

  18. We're in trouble by Anonymous Coward · · Score: 1

    Anyone else getting the feeling we're approaching security the wrong way? There will never be an end to these kind of exploits. Worse yet, they force us to reduce performance in order to gain security.

    1. Re:We're in trouble by cyrano.mac · · Score: 1

      You're referring to the NSA, I presume?

    2. Re:We're in trouble by OneAhead · · Score: 1

      So, what's the right way, then?

    3. Re:We're in trouble by Pieroxy · · Score: 1

      Nuke them from orbit. It's the only safe way.

      --
      Write boring code, not shiny code!
  19. Re:SSL is a weak crypto protocol by pnutjam · · Score: 1

    A properly designed VPN provides secure communications.

    --
    Cheap storage VM.