The BREACH attack was discovered in 2013. This type of data breach exploits the combination of data compression and encryption used by websites to accelerate page load times, conserve bandwidth and secure data during transmission. Although the BREACH attack does not directly target SSL security, it compromises the privacy goal of SSL by reducing HTTPS to encrypting page headers, leaving other content susceptible to discovery. Using a combination of brute force attacks and divide-and-conquer techniques, BREACH attacks can be employed by hackers to extract login credentials, email addresses, and other sensitive, personally identifiable information from SSL-enabled websites.
The BREACH attack is agnostic to the version of SSL/TLS protocol in use, and effective against any type of cipher suite as long as the following conditions are met:
In effect, by injecting plaintext into an HTTPS request and observing the length of compressed HTTPS responses, an attacker is able to iteratively guess and derive plaintext secrets from an SSL stream.
Requiring only a few thousand requests, the BREACH attack is executable in less than 60 seconds; and no clean, practical way to eliminate the exploit exists. Possible mitigations include disabling HTTP compression, which would result in reduced performance and increased bandwidth usage; separating secrets from user input; or rate-limiting requests to the server. Most BREACH attack mitigations are application-specific or require improved info security best practices concerning the handling of sensitive data. Other preventative measures include implementing vulnerability management on web applications and using a Web Application Firewall to detect and block malicious clients.
Akamai is ready and available to help our customers implement appropriate defenses and discuss the performance implications of possible defensive strategies against the BREACH attack. For users of our platform, we recommend using our Kona Site Defender Web Security Solution offering: