Who stole my cookie? BlackHat 2013 reveals “BREACH” – a massive SSL exposure

If you develop or use web based products that relay on SSL (that actually includes every one) you now have a new topic to worry about.

Researchers demonstrated on the BlackHat USA 2013 August conference, an exploit of header data breach for SSL sessions, named “BREACH”.

The claim is they could quickly and easily expose session header data for compressed SSL sessions, by using a statistical based algorithm. They inject their own data into the session, then use statistics to analyze the resulting compressed web server response, to infer what the original session header data included.

This puts at risk any product that includes a web service which repeatedly communicates sensitive data, such as security tokens, cookie information and similar, in the session header information.

This seems as a massive issue due to those reasons:

  • Most Web servers use compressed response to avoid major performance hit
  • Many developers have been assuming they can allow repeat session security information responses in session headers, relaying on SSL to hide it
  • Researchers will disclose the exploit code to the public
  • There is no workaround expected in the near future, except for deep developers review and correction of their session header transmissions
  • Developers, be warned!

    Users, better review your critical web app providers security awareness and responsiveness…

    One thought on “Who stole my cookie? BlackHat 2013 reveals “BREACH” – a massive SSL exposure

    Leave a Reply

    Please log in using one of these methods to post your comment:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s