Quickest Mitigation to BREACH Attack

Before that, the best explanation I read so far on BREACH attack. To quote from Wikipedia,
"A BREACH attack can extract login tokens, email addresses or other sensitive information from TLS encrypted web traffic in as little as 30 seconds (depending on the number of bytes to be extracted), provided the attacker tricks the victim into visiting a malicious web link."
Maybe is just me but way better explained that the official disclosure. Reluctantly (since performance will be affected), I've opted the most effective mitigation method by disabling HTTP-compression at server side. Example given here is running on #Apache 2.2.22 in Ubuntu 13.04.

1. Check our Apache web server version.
$ apache2 -v
Server version: Apache/2.2.22 (Ubuntu)
Server built:   Jul 12 2013 13:18:14

2. Check if the dynamic module deflate is enabled.
$ sudo apachectl -t -D DUMP_MODULES | grep deflate
 deflate_module (shared)
Syntax OK

3. Double-confirm that the web server is sending compressed content to the client. We're using curl HTTP client. Look for Content-Encoding header field in the HTTP response returned from the web server.
$ curl -I -k --compress https://localhost
HTTP/1.1 200 OK
Date: Wed, 07 Aug 2013 16:36:35 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.4.9-4ubuntu2.2
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Content-Type: text/html

4. Disable mod_deflate and restart the web server again.
$ sudo a2dismod deflate
Module deflate disabled.
To activate the new configuration, you need to run:
  service apache2 restart

$ service apache2 restart

5. Recheck the HTTP response Content-Encoding header. It should be missing from the result returned.
$ curl -I -k --compress https://localhost
HTTP/1.1 200 OK
Date: Wed, 07 Aug 2013 16:42:53 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.4.9-4ubuntu2.2
Content-Type: text/html

No comments:

Post a Comment