Saturday, August 06, 2016

Protect yourself against the HEIST + BREACH vulnerability



The new HEIST vulnerability demonstrated at Black Hat this week  makes it possible to use BREACH and/or CRIME vulnerabilities to decode HTTPS traffic (or HTTP/2) without the hacker having a man-in-the-middle position.

[EDIT: Just to be clear, This will not protect against all instances of the HEIST attack, but as it disables BREACH, it protects against the specific technique of combining HEIST and BREACH]

CRIME requires TLS compression which was dropped by most products that supported it in 2012. BREACH requires HTTP compression within the HTTPS session, which they manipulate to determine the plaintext contents of the encrypted message.

Many web site admins have been shutting off HTTP compression on encrypted sites for a while, but you cannot trust that everyone else is as diligent, so a browser based approach is best for protecting your own info.

In order for compression to work the browser and the server both need to support it, so the server relies on a request from the browser.

To prevent Google Chrome from requesting compressed pages it is required to modify the Accept-Encoding request header. There is a plugin for Google Chrome called ModHeader that will allow you to do that. simply install ModHeader and insert an entry for Accept-Encoding with a blank value as shown below:

Inline image 1



You can test this at the following site: http://www.whatsmyip.org/http-compression-test/

The drawback to turning HTTP compression off is that sites that do use compression (which is still perfectly safe for non-encrypted sites as there are no secrets to be revealed) will load up a little bit more slowly as the GZIP or Deflate compression can decrease size of sites by about 60%


No comments: