Close
Glad You're Ready. Let's Get Started!

Let us know how we can contact you.

Thank you!

We'll respond shortly.

PIVOTAL LABS
SSL Tabs Gone Wrong

Interestings

BREACH attack against compressed TLS

If you haven't been following the email thread on this.

http://breachattack.com/

There is a new vulnerability for leaking secrets that are constantly transferred over compressed HTTPS. With a MITM observing HTTPS traffic, the person in the middle can secrets (eg – XSRF tokens) using several thousand requests to the server with TLS and compression enabled.

For rails (This is not a guaranteed fix): https://github.com/meldium/breach-mitigation-rails
For django: https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/

Like some PDF thing explaining it? http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf

This is a derived attack of CRIME, where it is possible to inject data into a compressed TLS request using the same technique.

Disabling compression resolves this attack, at a significant performance hit.

Comments
Post a Comment

Your Information (Name required. Email address will not be displayed with comment.)

* Copy This Password *

* Type Or Paste Password Here *