Welcome to WebmasterWorld Guest from 54.160.163.163

Forum Moderators: phranque

Message Too Old, No Replies

No Fix Yet For https BREACH Traffic Attack

     

engine

11:34 pm on Aug 16, 2013 (gmt 0)

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



No fix is available for an attack that can recover plain-text information from encrypted HTTPS traffic in 30 seconds or less.

The BREACH attack -- short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext -- was discovered by Salesforce.com lead product security engineer Angelo Prado, Square application security engineer Neal Harris, and Salesforce.com lead security engineer Yoel Gluck. They first presented their findings in full at last week's Black Hat information security conference in Las Vegas. According to the researchers, all versions of the transport layer security (TLS) and secure sockets layer (SSL) protocols are vulnerable to the attack, but not every HTTPS-using site is necessarily at risk. No Fix Yet For https BREACH Traffic Attack [informationweek.com]
Prado and his fellow researchers promised to release a tool to allow businesses to test their own sites using proof-of-concept BREACH exploit code.
The most effective technique for mitigating the vulnerability is to disable HTTP compression, which is used to make the best use of bandwidth and server processing capabilities for a faster browsing experience.

cmendla

1:31 pm on Aug 17, 2013 (gmt 0)

10+ Year Member



@engine - THanks for posting this.

Right now, I'm trying to squeeze speed out of my sites.. Disabling the compression will stink but it is better than getting compromised.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month