No easy way to stop BREACH from plucking secrets from HTTPS pages, feds say

Less than 24 hours after researchers disclosed a new attack that can pluck secrets from webpages protected by the widely used HTTPS encryption scheme, the US Department of Homeland Security is advising website operators to investigate whether they're susceptible.

As Ars reported Thursday, an exploit dubbed BREACH—short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext—can decode e-mail addresses, certain types of security tokens, and other secrets from encrypted webpages, often in as little as 30 seconds. The attack builds on a previously developed technique known as CRIME, which manipulated data compression to glean clues about the plain-text contents of encrypted payloads. CRIME vulnerabilities were mitigated by disabling TLS compression and modifying the way the Google-developed compression known as SPDY worked. But as both CERT and the developers of BREACH have said, the new attack is much harder to protect against.

"We are currently unaware of a practical solution to this problem," the CERT advisory stated. "However, the reporters offer several tactics for mitigating this vulnerability. Some of these mitigations may protect entire applications, while others may only protect individual webpages."

Read 2 remaining paragraphs | Comments