A new DHS report released on August 2, BREACH vulnerability in compressed HTTPS, detailed how an attacker could derive information from the length of a compressed encrypted stream.
From the report:
While the CRIME attack is currently believed to be mitigated by disabling TLS/SSL/level compression, compressed HTTP responses represent a significant unmitigated vector which is currently exploitable. By injecting plaintext into an HTTPS request, an attacker can learn information about the corresponding HTTPS response by measuring its size.
The article states what the symptoms are, as well as potential fixes. Basically, disable HTTP compression.
Ran into this one today. A site with only SFTP/SSH access, and the server required the “FTP” method of updating plugins/WordPress. Remember FTPS is not SFTP. FTPS runs over HTTPS/SSL, while SFTP runs over SSH. Confusing?
Fortunately there’s a nice little plugin called, SSH SFTP Updater Support.
You must download it, then upload the contents of the zip into /wp-content/plugins/, then Activate the plugin in the admin. It will add an SSH2 (which is used for SFTP) option to your “Updates” screen.
Worked for me.