We want to share an interesting security piece written by Mike Pinch, the Chief Information Security Officer at University of Rochester Medical Center and a CloudCheckr user.
The following technical description was taken from the attack creators site, breachattack.com:
To be vulnerable, a web application must:
• Be served from a server that uses https-level compression
• Reflect user-input in https response bodies
• Reflect a secret (such as a CSRF token) in https response bodies
How feasible is it?
The BREACH attack can be exploited with just a few thousand requests, and can be executed in under a minute. The number of requests required will depend on the secret size. The power of the attack comes from the fact that it allows guessing a secret one character at a time.
You are vulnerable if you use https compression, and you transmit user and session data back and forth (this amounts to most web pages on the Internet).
While there are a number of mitigation strategies, the easiest and most effective is to disable compression within your web server. This will cause a spike in the amount of data your are sending and receiving but is likely a worthwhile price to pay.
The definitive resource for more information can be found here.
Concerned About Your Cloud Security?
The largest enterprises, service providers, resellers, and government agencies trust CloudCheckr with their public cloud security. Get a free Cloud Check Up for your environment.