BREACH Compression Attack Steals SSL Secrets

msm1267 writes "A serious attack against ciphertext secrets buried inside HTTPS responses has prompted an advisory from Homeland Security. The BREACH attack is an offshoot of CRIME, which was thought dead and buried after it was disclosed in September. Released at last week's Black Hat USA 2013, BREACH enables an attacker to read encrypted messages over the Web by injecting plaintext into an HTTPS request and measuring compression changes. Researchers Angelo Prado, Neal Harris and Yoel Gluck demonstrated the attack against Outlook Web Access (OWA) at Black Hat. Once the Web application was opened and the Breach attack was launched, within 30 seconds the attackers had extracted the secret. 'We are currently unaware of a practical solution to this problem,' said the CERT advisory, released one day after the Black Hat presentation."

Re:Why use HTTP Compression?

[Anonymous Coward]

Browse the web without Javascript and with an ad blocker. It's like moving from dialup to broadband.

While I loathe JavaScript on a professional level, I gotta say: It's time to give up the Lynx browser. There can't be that many interesting Gopher sites left!

Re:Disable compression?

[The Wild Norseman]

Nevermind. RTFA for explanation.

See? Text compression in action!

Re:Piece of Cake

[Score Whore]

Same network? Like the internet?

*head explodes*

WTF? Do you happen to know the etymology of "internet"?