homepage Welcome to WebmasterWorld Guest from 23.20.28.193
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

    
No Fix Yet For https BREACH Traffic Attack
engine




msg:4602639
 11:34 pm on Aug 16, 2013 (gmt 0)

No fix is available for an attack that can recover plain-text information from encrypted HTTPS traffic in 30 seconds or less.

The BREACH attack -- short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext -- was discovered by Salesforce.com lead product security engineer Angelo Prado, Square application security engineer Neal Harris, and Salesforce.com lead security engineer Yoel Gluck. They first presented their findings in full at last week's Black Hat information security conference in Las Vegas. According to the researchers, all versions of the transport layer security (TLS) and secure sockets layer (SSL) protocols are vulnerable to the attack, but not every HTTPS-using site is necessarily at risk. No Fix Yet For https BREACH Traffic Attack [informationweek.com]
Prado and his fellow researchers promised to release a tool to allow businesses to test their own sites using proof-of-concept BREACH exploit code.
The most effective technique for mitigating the vulnerability is to disable HTTP compression, which is used to make the best use of bandwidth and server processing capabilities for a faster browsing experience.

 

cmendla




msg:4602784
 1:31 pm on Aug 17, 2013 (gmt 0)

@engine - THanks for posting this.

Right now, I'm trying to squeeze speed out of my sites.. Disabling the compression will stink but it is better than getting compromised.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved