BREACH Compression Attack Steals HTTPS Secrets in Under 30 Seconds

kro

New Member
Verified Provider
A serious attack against ciphertext secrets buried inside HTTPS responses has prompted an advisory from Homeland Security.

The BREACH attack is an offshoot of CRIME, which was thought dead and buried after it was disclosed in September. Released at last week’s Black Hat USA 2013, BREACH enables an attacker to read encrypted messages over the Web by injecting plaintext into an HTTPS request and measuring compression changes.


http://threatpost.com/breach-compression-attack-steals-https-secrets-in-under-30-seconds/101579
 

HalfEatenPie

The Irrational One
Retired Staff
Oh.  Yeah.  Surprised no-one posted about this earlier (saw it on reddit a while back).  aka, we're all screwed!  
 

VPSCorey

New Member
Verified Provider
If someone has access to your internet connection in that fashion you're screwed anyways.
 

kaniini

Beware the bunny-rabbit!
Verified Provider
Actually, this is not a huge deal.  It certainly isn't SSL "gone in 30 seconds", it is only a real-world attack against some specific types of headers and data sequences that are already somewhat predictable.
 
Top