HTTP compression continues to put encrypted communications at risk

HTTP compression continues

HTTP compression continues to put encrypted communications at risk
HTTP compression- a mechanism used to speed up browsing has been proved to put encrypted communication at risk. This is in the form of a BREACH attack. BREACH is an acronym for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext. The BREACH attack exploits the gzip/DEFLATE algorithm to intercept and recover sensitive information such as browser cookies about the encrypted connections.
Security researchers have gone on to prove that HTTP compression truly puts encrypted communications at risk. The first to present their findings were the trio of Angelo Prado, Neal Harris and Yoel Gluck during the Black Hat USA security conference held in 2013. Their version of BREACH attack targeted connections that are encrypted with stream ciphers, e.g RC4. Another team, Dimitris Karakostas from the National Technical University of Athens and Dionysis Zindros from the University of Athens, went on to improve the BREACH attack making it possible to attack TLS block ciphers, such as AES, which are mostly used nowadays. The duo even showed how even security conscious websites such as Gmail and Facebook are prone to BREACH attacks.
BREACH attacks occur when the attacker intercepts a victim’s website traffic. As long as the attacker can compromise the network the victim is using, the attack will go through. This is possible when browsing traffic is intercepted on a compromised router, a wireless network or even the internet infrastructure of the Internet Service Provider (ISP). To accomplish the BREACH attack, the attacker finds a vulnerable target of an application that receives input via a URL parameter and reflects the input at some point in the encrypted communication. An example of a vulnerable target the researchers identified is the ‘search function’ on Gmail’s mobile site.
The main goal of the attacker in a BREACH attack is to cheat a user to submit numerous requests to a susceptible function in a application, such as the mobile search function in Gmail with the aim of gradually guessing the authentication token. The gradual revelation of the authentication token is aided to a large extent by the variations in HTTP compression.
Bottom Line
After BREACH was announced in the 2013 conference, most websites began using AES block ciphers since RC4 is no longer considered safe. Other mechanisms to prevent BREACH attacks have also been adopted by many website owners. However, the sad reality is that BREACH attacks have not been eliminated completely. This is attributed to the fundamental aspects of BREACH still remain unresolved. Therefore, HTTP compression continues to put encrypted communications at risk.

Leave a Reply

Your email address will not be published. Required fields are marked *