BREACH – Attacks on the TLS Record Protocol

09/02/202209/02/2022| Vera NeelBREACH – Attacks on the TLS Record Protocol| 0 Comment| 03:58
Categories :

21.5.6 BREACH

In the second half of 2013, security researchers Yoel Gluck, Neal Harris, and Angelo Prado published a modification of CRIME that they called Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH) [72]. Instead of targeting HTTP requests, BREACH uses the CRIME technique to attack HTTP responses.

The authors are motivated by observing that although TLS-level compression was disabled after CRIME’s publication, HTTP compression remains popular on the web. Moreover, it is common to include secrets such as Cross-Site Request Forgery (CSRF) tokens and user-defined input in the same HTTP response and, therefore, in the same compression context. That, in turn, allowed the authors to apply CRIME to HTTP responses, without relying on TLS compression.

The publication [72] illustrates BREACH using an example attack on Outlook Web Access (OWA). When Bob has established an active OWA session, he transmits the following HTTP request:


GET /owa/?ae=Item&t=IPM.Note&a=New&id=canary=<guess>

He then receives the following HTTP response:


<span id=requestUrl>https://malbot.net:443/owa/forms/ basic/BasicEditMessage.aspx?ae=Item&amp;t=IPM.Note& amp;a=New&amp;id=canary=<guess></span>

<td nowrap id=”tdErrLgf”><a href=”logoff.owa?canary=d634cda866f14c73ac135ae858c0d894″>Log Off</a></td>

canary is the CSRF token. Importantly, the string canary= is repeated in the HTTP response. As a result, the size of the response is affected by the lossless compression such as DEFLATE used by HTTP. For example, if the first character of ¡guess¿ matches the first character of canary, DEFLATE will compress the HTTP response even further. Thus, by observing the size of the encrypted traffic, Eve can determine whether her guess was correct or not. Once the guess is correct, Eve proceeds to guess the next byte in canary.

For the OWA example, the BREACH authors were able to extract the encrypted CSRF tokens about 95% of the time, often in under 30 seconds. That also explains the title of their talk given at BlackHat USA 2013: SSL, Gone in 30 Seconds.

BREACH’s attack model is equivalent to that of CRIME: Eve must be able to execute JavaScript on Bob’s computer and must have access to Bob’s network traffic. In addition – like with TIME – the web application needs to reflect user-controlled input and the secret, for instance, the CSRF token of the currently active session, in the HTTP response.

Notably, BREACH is agnostic to the TLS version because it does not require TLS-level compression. Compression of HTTP responses is a common technique at the HTTP level. Consequently, if a web application is vulnerable to BREACH, simply updating the TLS version is not sufficient.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

SMACK – Attacks on TLS Implementations

05/10/202205/10/2022 Vera NeelSMACK – Attacks on TLS Implementations
22.1 SMACK In 2015, a group of French security researchers with Benjamin Beurdouche systematically tested [...]
Read MoreRead More

The compression side channel – Attacks on the TLS Record Protocol

04/05/202304/05/2023 Vera NeelThe compression side channel – Attacks on the TLS Record Protocol
21.5.2 The compression side channel Back in 2002, John Kelsey, a cryptographer working for Certicom [...]
Read MoreRead More

The bugfix – Attacks on TLS Implementations

10/02/202110/02/2021 Vera NeelThe bugfix – Attacks on TLS Implementations
22.4.3 The bugfix The bugfix for the Heartbleed bug is shown in Listing 22.3. It [...]
Read MoreRead More