Home > News > HTTPS is vulnerable to BREACH exploit – feds lack easy solution
News

HTTPS is vulnerable to BREACH exploit – feds lack easy solution

According to the CERT (Computer Emergency Readiness Team), there is not an easy solution for the BREACH HTTPS vulnerability which was showcased on Thursday at the Black Hat security conference in Las Vegas.

HTTPS

The BREACH vulnerability was demonstrated on Thursday at the Black Hat security conference in Las Vegas. Its existence comes as sour news at this time, especially after Facebook’s culmination of two year’s effort to protect all of its users using HTTPS, and the increasingly depressing news about the government’s habits of spying on Internet users.

The exploit called BREACH, short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext, manipulates data compression to pry out doses of information from HTTPS protected data, including email addresses, security tokens, and other plain text strings.

It was possible in the past to mitigate the CRIME attack off of which BREACH is based, but an advisory issued by CERT (Computer Emergency Readiness Team) reveals that it currently does not have a comprehensive solution to the new security vulnerability, and urges webmasters to investigate whether they are susceptible to it. Since different applications and web programs work in different ways, there is not really a one-size-fits all vulnerability, or solution to any such vulnerabilities – not yet.

“We are currently unaware of a practical solution to this problem,” the CERT advisory stated. “However, the reporters offer several tactics for mitigating this vulnerability. Some of these mitigations may protect entire applications, while others may only protect individual webpages.” states the CERT advisory statement.

That list of tactics, which may be of interest to web developers who would like a head start in beating BREACH, can be found on the BREACH attack website.

Source: Ars Technica

Brandon Shutt
Brandon is an A+ certified technician and freelance writer living in East Tennessee. He loves God, writing, science (especially technology) and philosophy. He is currently preparing to enter the field of information security.

Leave a Reply

Your email address will not be published.

Read previous post:
1,700 Russian websites go dark in protest to ‘Russian SOPA’

On Thursday, 1,700 Russian websites went dark in opposition to a new anti-piracy law enabling the Russian government to 'blacklist'...

Close