Stopping BREACH Attacks

TL;DR

BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of HTTP) is an attack that steals data from HTTPS connections by exploiting compression. The main fixes are to disable HTTP/2 on servers, enable TLS 1.3, and use strong Content-Encoding negotiation.

What is BREACH?

BREACH exploits the way web servers compress HTTP responses. If a server compresses data before sending it, an attacker can try to inject requests into the compressed stream to reveal sensitive information like cookies or authentication tokens. It’s more effective on older TLS versions and when HTTP/2 is enabled.

How to Protect Against BREACH

1. Disable HTTP/2

• HTTP/2 header compression makes BREACH attacks easier. Disabling it significantly reduces the risk.
• The method for disabling HTTP/2 varies depending on your web server software:
• Apache: Edit your virtual host configuration and set Protocols h1 http/1.1. Restart Apache after making changes.
• Nginx: In your server block, remove or comment out the line containing http2 in the listen directive. Restart Nginx.
• Example (Nginx):

  
  listen 443 ssl;
  # Remove/comment this line: listen 443 ssl http2;
  

Enable TLS 1.3

• TLS 1.3 has built-in protections against BREACH attacks because it doesn’t allow the same header compression vulnerabilities as older versions.
• Ensure your server is configured to prefer TLS 1.3. This usually involves updating your SSL/TLS configuration and restarting the web server.
• Example (OpenSSL Configuration): You may need to configure ciphers to prioritize TLS 1.3.

  
  CipherString += 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384' 
  

Content-Encoding Negotiation

• Carefully control which content encodings your server supports. Avoid using compression algorithms that are vulnerable to BREACH, such as DEFLATE and GZIP when combined with older TLS versions.
• Prioritize Brotli if possible; it’s generally considered safer.
• Configure your server to only use compression for static assets (images, CSS, JavaScript) where the risk of data leakage is lower. Avoid compressing dynamic content that contains sensitive information.
• Example (Apache): Use mod_headers to control Content-Encoding.

  
  <FilesMatch ".(js|css|jpg|jpeg|png|gif|svg)">
    Header set Content-Encoding gzip
  </FilesMatch>
  

Regular Security Audits

• Perform regular security audits and penetration testing to identify potential vulnerabilities, including BREACH.
• Use tools that specifically test for BREACH attacks.

Mitigation Summary

The most effective way to prevent BREACH is a combination of disabling HTTP/2, enabling TLS 1.3, and carefully managing Content-Encoding negotiation. Regular security audits are also crucial.