BREACH (security exploit)
BREACH (a backronym Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext) is a security exploit against HTTPS when using HTTP compression. BREACH improves upon the earlier CRIME security exploit, completely defeating the standard mitigation against the CRIME attack. BREACH was announced at the August 2013 Black Hat conference by security researchers Angelo Prado, Neal Harris and Yoel Gluck.
Unlike the CRIME exploit, which performs an oracle attack using known plaintext injection against the data compression built into the Transport Layer Security (TLS) layer of HTTPS, BREACH uses a similar attack against HTTP compression - the use by many web browser and web servers of gzip or DEFLATE data compression algorithms via the content-encoding option within HTTP. Given this compression oracle, the rest of the BREACH attack follows the same general lines as the CRIME exploit, by performing an initial blind brute-force search to guess a few bytes, followed by divide-and-conquer search to expand a correct guess to an arbitrarily large amount of content.
BREACH exploits the compression in the underlying HTTP protocol. Therefore, turning off TLS compression, which is sufficient to mitigate the CRIME exploit, makes no difference to BREACH, which can still perform a chosen-plaintext attack against the HTTP payload.
As a result, clients and servers are either forced to disable HTTP compression completely, reducing performance, or to adopt elaborate workarounds to try to foil BREACH in individual attack scenarios, such as using cross-site request forgery (CSRF) protection.
Another suggested approach is to disable HTTP compression whenever the referrer header indicates a cross-site request, or when the header is not present. This approach allows effective mitigation of the attack without losing functionality, only incurring a performance penalty on affected requests.
- Goodin, Dan (August 1, 2013). "Gone in 30 seconds: New attack plucks secrets from HTTPS-protected pages". Ars Technica.
- Angelo Prado, Neal Harris and Yoel Gluck. "SSL, gone in 30 seconds: A BREACH beyond CRIME". Retrieved 2013-09-07.
- Omar Santos (August 6, 2013). "BREACH, CRIME and Black Hat". Cisco.
- Ivan Ristic (October 14, 2013). "Defending against the BREACH Attack". Qualys.com. Retrieved 2013-11-25.
manu (October 14, 2013). "BREACH mitigation". Qualys Community. Retrieved 2013-11-25.
|This computing article is a stub. You can help Wikipedia by expanding it.|
|This cryptography-related article is a stub. You can help Wikipedia by expanding it.|