HTTPS is vulnerable to BREACH exploit – feds lack easy solution
According to the CERT (Computer Emergency Readiness Team), there is not an easy solution for the BREACH HTTPS vulnerability which was showcased on Thursday at the Black Hat security conference in Las Vegas.
The BREACH vulnerability was demonstrated on Thursday at the Black Hat security conference in Las Vegas. Its existence comes as sour news at this time, especially after Facebook’s culmination of two year’s effort to protect all of its users using HTTPS, and the increasingly depressing news about the government’s habits of spying on Internet users.
The exploit called BREACH, short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext, manipulates data compression to pry out doses of information from HTTPS protected data, including email addresses, security tokens, and other plain text strings.
It was possible in the past to mitigate the CRIME attack off of which BREACH is based, but an advisory issued by CERT (Computer Emergency Readiness Team) reveals that it currently does not have a comprehensive solution to the new security vulnerability, and urges webmasters to investigate whether they are susceptible to it. Since different applications and web programs work in different ways, there is not really a one-size-fits all vulnerability, or solution to any such vulnerabilities – not yet.
“We are currently unaware of a practical solution to this problem,” the CERT advisory stated. “However, the reporters offer several tactics for mitigating this vulnerability. Some of these mitigations may protect entire applications, while others may only protect individual webpages.” states the CERT advisory statement.
That list of tactics, which may be of interest to web developers who would like a head start in beating BREACH, can be found on the BREACH attack website.
Source: Ars Technica