Welcome to WebmasterWorld Guest from 50.19.190.144

Forum Moderators: phranque

Message Too Old, No Replies

No Fix Yet For https BREACH Traffic Attack

     
11:34 pm on Aug 16, 2013 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 9, 2000
posts:22282
votes: 236


No fix is available for an attack that can recover plain-text information from encrypted HTTPS traffic in 30 seconds or less.

The BREACH attack -- short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext -- was discovered by Salesforce.com lead product security engineer Angelo Prado, Square application security engineer Neal Harris, and Salesforce.com lead security engineer Yoel Gluck. They first presented their findings in full at last week's Black Hat information security conference in Las Vegas. According to the researchers, all versions of the transport layer security (TLS) and secure sockets layer (SSL) protocols are vulnerable to the attack, but not every HTTPS-using site is necessarily at risk. No Fix Yet For https BREACH Traffic Attack [informationweek.com]
Prado and his fellow researchers promised to release a tool to allow businesses to test their own sites using proof-of-concept BREACH exploit code.
The most effective technique for mitigating the vulnerability is to disable HTTP compression, which is used to make the best use of bandwidth and server processing capabilities for a faster browsing experience.
1:31 pm on Aug 17, 2013 (gmt 0)

Preferred Member from US 

10+ Year Member

joined:May 6, 2004
posts: 650
votes: 0


@engine - THanks for posting this.

Right now, I'm trying to squeeze speed out of my sites.. Disabling the compression will stink but it is better than getting compromised.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members