Blog   |   Security   |   August 20, 2013

What You Need to Know About the BREACH Attack

We want to share an interesting security piece written by Mike Pinch, the Chief Information Security Officer at University of Rochester Medical Center and a CloudCheckr user.
A new attack that has been made public recently (at the Black Hat USA conference) is known as BREACH. BREACH (Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext) is an extension of the CRIME attack, which stands for Compression Ratio Info leak Made Easy.  What does it mean?  With web pages becoming more and more rich with tons of javascript (think Google Apps), the amount of data being transmitted with each page request has risen significantly.  Web servers such as Apache and IIS offer a feature to compress the data before it is sent, dramatically cutting down the amount of data you need to transmit, and thereby speeding up the interwebs.
The following technical description was taken from the attack creators site,

To be vulnerable, a web application must:
• Be served from a server that uses https-level compression
• Reflect user-input in https response bodies
• Reflect a secret (such as a CSRF token) in https response bodies
How feasible is it?
The BREACH attack can be exploited with just a few thousand requests, and can be executed in under a minute. The number of requests required will depend on the secret size. The power of the attack comes from the fact that it allows guessing a secret one character at a time.

You are vulnerable if you use https compression, and you transmit user and session data back and forth (this amounts to most web pages on the Internet).
While there are a number of mitigation strategies, the easiest and most effective is to disable compression within your web server. This will cause a spike in the amount of data your are sending and receiving but is likely a worthwhile price to pay.
The definitive resource for more information can be found here.

Concerned About Your Cloud Security?

The largest enterprises, service providers, resellers, and government agencies trust CloudCheckr with their public cloud security. Get a free Cloud Check Up for your environment.