Bugzilla – Bug 833754
VUL-0: CVE-2013-3587: various: BREACH attack allows attackers to sniff SSL encrypted HTTP traffic
Last modified: 2015-05-11 08:29:35 UTC
Similar to CRIME. More info available at: https://threatpost.com/breach-compression-attack-steals-https-secrets-in-under-30-seconds/101579
Note: I'm not sure whether this is an issue with SSL actually. I think this can only occur with compression layers in between (such as mod_deflate). I also talked with darix about it and he confirmed that disabling this is a valid workaround. Any other opinions?
This is not only about disabling compression at the web server level you also need to filter the fields from the Accept-* header to avoid e.g. php using output compression.
bugbot adjusting priority
I haven't seen any update from openssl community. I'll keep eyes on this issue.
(In reply to comment #1) > Note: > > I'm not sure whether this is an issue with SSL actually. I think this can only > occur with compression layers in between (such as mod_deflate). I also talked > with darix about it and he confirmed that disabling this is a valid workaround. > > Any other opinions? > Openssl won't fix this issue on SSL level. Django gave some possible mitigation solutions: https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/ Should I close this bug as "won't fix"?
according to oss-sec: http://www.openwall.com/lists/oss-security/2013/09/24/1 It should not be fixed in openssl. So I'm closing this bug as "won't fix".
CVE-2013-3587 referenced by Redhat
- put out docu guidance not to use compression in webservers?
(In reply to comment #8) > - put out docu guidance not to use compression in webservers? Yes, sounds reasonable.
disabled compression in the meantime, not much more we can do