The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a “BREACH” attack, a different issue than CVE-2012-4929.
[
{
"product": "HTTPS protocol",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
]
breachattack.com/
github.com/meldium/breach-mitigation-rails
security.stackexchange.com/questions/20406/is-http-compression-safe#20407
slashdot.org/story/13/08/05/233216
www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf
www.kb.cert.org/vuls/id/987798
bugzilla.redhat.com/show_bug.cgi?id=995168
hackerone.com/reports/254895
lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1%40%3Cdev.httpd.apache.org%3E
support.f5.com/csp/article/K14634
www.blackhat.com/us-13/briefings.html#Prado
www.djangoproject.com/weblog/2013/aug/06/breach-and-django/