K14634 : SSL/TLS BREACH vulnerability CVE-2013-3587

Security Advisory Description

The BREACH vulnerability allows attackers to discover secrets wrapped in HTTP compression inside of SSL. By injecting plaintext into an HTTPS request, an attacker can learn information about the corresponding HTTPS response by measuring its size. This action relies on the attacker’s ability to observe the size of the ciphertext received by the browser while triggering a number of strategically crafted requests to a target site.

Important: This vulnerability is caused by a limitation of the HTTP compression protocol and cannot be resolved without causing incompatibility with standard browsers and web servers. Until and unless the HTTP compression protocol definition is updated to remove this limitation, F5 has no plans to address this vulnerability. There will be no further updates to this article, unless new information is discovered.

Impact

By observing the length of compressed HTTPS responses, an attacker may be able to obtain plaintext secrets from the ciphertext of an HTTPS stream.