BREACH Compression Attack Steals HTTPS Secrets in Under 30 Seconds

[kro]

A serious attack against ciphertext secrets buried inside HTTPS responses has prompted an advisory from Homeland Security.

The BREACH attack is an offshoot of CRIME, which was thought dead and buried after it was disclosed in September. Released at last week’s Black Hat USA 2013, BREACH enables an attacker to read encrypted messages over the Web by injecting plaintext into an HTTPS request and measuring compression changes.


http://threatpost.com/breach-compression-attack-steals-https-secrets-in-under-30-seconds/101579

 

[memnarc]

Wow that's some shocking news.

 

[HalfEatenPie]

Oh.  Yeah.  Surprised no-one posted about this earlier (saw it on reddit a while back).  aka, we're all screwed!  

 

[VPSCorey]

If someone has access to your internet connection in that fashion you're screwed anyways.

 

[kaniini]

Actually, this is not a huge deal.  It certainly isn't SSL "gone in 30 seconds", it is only a real-world attack against some specific types of headers and data sequences that are already somewhat predictable.