A new DHS report released on August 2, BREACH vulnerability in compressed HTTPS, detailed how an attacker could derive information from the length of a compressed encrypted stream.
From the report:
While the CRIME attack is currently believed to be mitigated by disabling TLS/SSL/level compression, compressed HTTP responses represent a significant unmitigated vector which is currently exploitable. By injecting plaintext into an HTTPS request, an attacker can learn information about the corresponding HTTPS response by measuring its size.
The article states what the symptoms are, as well as potential fixes. Basically, disable HTTP compression.
No comments yet.