Moodle in English: The Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH)

Forums
Documentation
Downloads
Demo
Tracker
Development
Translation
Search

Search
Moodle Sites

Moodle.org

The Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH)

This discussion has been locked so you can no longer reply to it.

Re: The Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH)

by Damyon Wiese - Thursday, 25 June 2015, 10:50 AM

From my reading of the vulnerability, it "might" allow a man in the middle to steal a sesskey even if the connection is protected via SSL.

It would require:
A) the man in the middle to see all traffic from the victim and the server (even if it is encrypted)
B) control over the victims browser to make it submit requests to arbitrary urls (e.g. convincing them to visit a phishing site, or inject code into any "non-ssl" response)

If this is a concern, you can mitigate it completely by disabling gz compression (mod_deflate). This may impact the performance of your site.

Average of ratings: Useful (2)

Security and privacy

The Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH)

Re: The Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH)

Empowering educators to improve our world

Moodle

Support

Get Involved

Contributions

Downloads

Tracker

Development

Empowering educators to improve our world