TL;DR
The BREACH attack exploits HTTP compression to reveal sensitive data in encrypted traffic. The main fix is disabling HTTP compression, or ensuring content length headers accurately reflect the actual size of responses. This guide explains how to do both.
What is the BREACH Attack?
BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of HTTPS) allows an attacker to steal information from encrypted web sessions, even when using HTTPS. It works by injecting malicious content into HTTP requests and observing how the server’s response changes due to compression. If the server compresses responses based on content, the attacker can deduce parts of the original data.
How to Prevent BREACH Attacks
- Disable HTTP Compression: This is the most effective solution. Most web servers support various compression algorithms like gzip and deflate. Disabling them removes the vulnerability.
- Apache: Edit your Apache configuration file (e.g.,
httpd.conforapache2.conf) and remove or comment out lines related to compression modules:# Remove these lines #LoadModule deflate_module modules/mod_deflate.so #DeflateCompression Level 6 - Nginx: Edit your Nginx configuration file (e.g.,
nginx.conf) and remove or comment out compression settings:# Remove these lines #gzip on; #gzip_types text/plain text/css application/json application/javascript ... - IIS: Open IIS Manager, select your website, and navigate to Compression Features. Disable HTTP compression for both static and dynamic content.
- Apache: Edit your Apache configuration file (e.g.,
- Accurate Content-Length Headers: If you can’t disable compression entirely (e.g., due to performance requirements), ensure the
Content-Lengthheader accurately reflects the size of the response body *after* compression. This makes it harder for attackers to exploit timing differences.- Server Configuration: Most web servers handle this automatically when compression is enabled, but verify your configuration.
- Application Code: If you’re generating responses dynamically (e.g., using PHP, Python, Node.js), make sure the
Content-Lengthheader is set correctly based on the compressed output.// Example in PHP: $compressedData = gzencode($data); header('Content-Type: application/json'); header('Content-Length: ' . strlen($compressedData)); echo $compressedData;
- TLS Configuration (Important but not a direct BREACH fix): While TLS doesn’t directly prevent BREACH, using strong TLS configurations with modern protocols (TLS 1.2 or higher) and cipher suites is crucial for overall security.
Testing for BREACH Vulnerability
Several online tools can help you test your website for the BREACH attack. Search for “BREACH attack test” to find them. These tools typically involve sending specially crafted requests and analyzing the server’s responses.
Important Considerations
- Performance Impact: Disabling compression will increase bandwidth usage and potentially slow down your website. Weigh the security benefits against the performance cost.
- Regular Updates: Keep your web server software up to date with the latest security patches.