Defending against the BREACH Attack

Ivan Ristic

Last updated on: December 21, 2022

When Juliano and Thai disclosed the CRIME attack last year, it was clear that the same attack technique could be applied to any other compressed data, and compressed response bodies (via HTTP compression) in particular. But it was also clear that—with our exploit-driven culture—browser vendors were not going to do anything about.

Progress will be made now that there is an exploit to worry about because, this year at Black Hat, a group of researched presented BREACH, a variant of CRIME that works exactly where it hurts the most, on HTTP response bodies. If you’re not already familiar with the attack I suggest that you go to the researchers’ web site, where they have a very nice paper and a set of slides.

If you don’t want to read the paper right this moment, I will remind you that the CRIME attack works by having the attacker guess some secret text. The trick is to include the guess in the same context as the actual secret (for example, the same response body). When his guess is 100% wrong, the size of the response increases for the size of the guess. But, when the guess is correct (fully, or partially, meaning there is some overlap between the guess and the secret), compression kicks in, and the response body shrinks slightly. With enough guesses and enough time, you can guess anything on the page.

TLS does not defend against this attack because, when the protocol was originally designed, it was impossible for MITM attackers to submit arbitrary plaintext via victims’ browsers. Since then, the threat model evolved, but the protocols remained the same. (Interestingly, there is a draft proposal to deal with this sort of thing at the TLS level: Length Hiding Padding for the Transport Layer Security Protocol.)

Mitigation

Clearly, one option is to address the problem at the TLS level; but that will take some time.

Outside TLS, the paper itself includes a nice list of mitigation options, and, with exceptions, I am not going to repeat them here. In general, it’s not going to be easy. When dealing with CRIME, we were fortunate because few people knew TLS compression existed, and only a small number of browsers/users actually supported it. This time, the flaw is exploited in a feature that’s not only very widely used, but one which many sites cannot exist without. Just try convincing a large site to turn off compression, at a large financial and performance cost.

Although most discussions about BREACH will no doubt focus on its threat against CSRF tokens, we should understand that the impact is potentially wider. Any sensitive data contained in responses is under threat. The good news is that session tokens don’t appear to be exposed. However, a well-placed forged CSRF request can do a lot of damage.

CSRF Token Defence

For CSRF tokens there is a simple and effective defence, which is to randomize the token by masking it with a different (random) value on every response. The masking does not hide the token (whoever has the token can easily reverse the masking), but it does defeat the attack technique. Guessing is impossible when the secret is changing all the time. Thus, we can expect that most frameworks will adopt this technique. Those who rely on frameworks will only need to upgrade to take advantage of the defence. Those who don’t will have to fix their code.

HTTP Chunked Encoding Mitigation

The award for least-intrusive and entirely painless mitigation proposal goes to Paul Querna who, on the httpd-dev mailing list, proposed to use the HTTP chunked encoding to randomize response length. Chunked encoding is a HTTP feature that is typically used when the size of the response body is not known in advance; only the size of the next chunk is known. Because chunks carry some additional information, they affect the size of the response, but not the content. By forcing more chunks than necessary, for example, you can increase the length of the response. To the attacker, who can see only the size of the response body, but not anything else, the chunks are invisible. (Assuming they’re not sent in individual TCP packets or TLS records, of course.)

This mitigation technique is very easy to implement at the web server level, which makes it the least expensive option. There is only a question about its effectiveness. No one has done the maths yet, but most seem to agree that response length randomization slows down the attacker, but does not prevent the attack entirely. But, if the attack can be slowed down significantly, perhaps it will be as good as prevented.

Referer Check Mitigation

A quick, dirty, tricky, and a potentially unreliable mitigation approach you can apply today is to perform Referer header checks on all incoming requests. Because the attacker cannot inject requests from the web site itself (unless he gains access via XSS, in which case he owns the browser and has no need for further attacks), he must do so from some other web site (a malicious web site, or an innocent site hijacked from a MITM location). In that case, the referrer information will show the request originating from that other web site, and we can easily detect that.

Now, you can’t just drop such requests (because then no links to your web site would work any more), but you can drop all the cookies before they reach the application. Without the cookies, your application will not resume the victim’s session, and won’t place anything secret in the response. Attack mitigated.

There is a catch, however (as Hubert pointed out to me this morning): if your web site relies on being framed by arbitrary 3rd party web sites, or if it exposes public services to others (for browser consumption), then you can’t use this defence. I am assuming your services need the cookies. If they do not, you’re back in the game. If you do decide to try it, please test your major use cases in a staging environment first.

You can implement this defence with only two Apache directives (replace www.example.com with your own domain name):

SetEnvIfNoCase Referer ^https://www\.example\.com keep_cookies
RequestHeader unset Cookie env=!keep_cookies

The cookies are kept only for requests arriving from the same site. There’s a potential problem with users that follow links from other sites and bookmarks and expect to be logged in straight away (either because they are already logged in, or because your site supports auto-log in). For such users you might need to have a welcome page, where you will ask them to click on a link to enter the web site. The cookies will be sent again on the next request.

Just to be clear, there is a long history of attacks focusing on spoofing the Referer header. For example, there was one such problem in Chrome just recently. However, such attacks are addressed quickly after discovery. Further, as Krzysztof Kotowicz pointed out, it is trivial to submit requests that do not contain the Referer header (read about it here and here).

To conclude, I can’t really say that I like this approach, but its huge advantage is that you can deploy it very quickly at the web server or reverse proxy level, without having to make any changes to the application code. Even with all the constraints, I imagine there will be a large number of applications for which the trade-offs will be acceptable.

We Should Really Fix the Browsers

I would really like to see this problem addressed where it should be addressed—at the browser level. At the moment, a MITM attacker can intercept your non-encrypted requests, mess with them, and trick your browser into sending requests with arbitrary content to the sites that you care about. It’s this interaction that’s making several very interesting attacks possible: BEAST, CRIME, RC4, and now BREACH.

A carefully designed opt-in security measure could do the trick, but I suppose it would take a lot of talking and politics to get it implemented. The idea is that a web site can control which other web sites (cross-origins) can initiate requests to it, even if it is via <script> and <img> tags.

Incidentally, just a couple of days ago, Mike Shema and Vaagn Toukharian (fellow Qualys employees), proposed a new cookie control (update: and there is now a follow-up post from Mike) that would restrict when cookies are sent. Their intention was to deal with CSRF, but the measure would work against BREACH, too. If a 3rd party web site initiates a request to your web site, against your wishes, being able to tell the browser to drop the cookies would mitigate the potential attacks.


Update (8 August 2013): The first version of this blog post included a referrer check defence that allowed empty referrers, with the idea to support auto-log in for the users following bookmarks. But then Krzysztof Kotowicz pointed out that the Referer header can be removed by the attackers. I have now modified the example to drop cookies on all requests not originating from the web site.

Update (14 October 2013): A better idea for mitigation based on referrer checking is to selectively disable compression, rather than drop cookies. This approach comes with a slight performance penalty, but no loss of functionality. Read the original discussion thread for more information how to achieve this with Apache.

Show Comments (7)

Comments

Your email address will not be published. Required fields are marked *

  1. Hi Ivan.

    First I want to thank you *a lot* for all your work; I’m a big fan and I use your services since a while now.

    Do you think the BREACH attack could be checked by the SSL Server Test?

    I guess it could be tricky actually, maybe an "orange" warning (like RC4 or FS) could do the job (to test the main page?).

    Thomas.

    1. No, I don’t think SSL Labs can do anything useful about BREACH. Compression alone is not enough, you have to have secrets, too. And it’s going to be very difficult to determine if someone’s mitigation is sufficient.

      Yes, an orange warning is probably the best we can do.

  2. I don’t quite understand the relatively slow reaction to threats. For example, even though this is a little off topic, the latest firefox version 23, finally supports TLS 1.1, but it is DISABLED in the

    about:config setting "security.tls.version.max." You can set the value to 3, and it will be set up to accept TLS 1.2 when version 24 comes out.

    1. @JJ, if web server does NOT have support for TLS v1.1 or  v1.2 and Firefox v23 or v24 in about:config setting security.tls.version.max is set to use TLS v1.1 or v1.2 then Firefox browser will NOT be able to fallback to TLS v1.0 supported by web server, but instead you will get an error message in browser, because this fall-back is currently NOT implemented in Firefox. So TLS v1.1 and TLS v1.2 are currently in Firefox intended only for TESTING purposes and are NOT ready for use for real web usage currently, because tons of web servers do not support never versions of TLS protocol. So Firefox needs to implement this fall-back and this is not done yet, so we will probably need to wait for few versions that TLS v1.1 and TLS 1.2 are properly implemented in Firefox and when they will be then TLS v1.2 and v1.1 will definitely be ENABLED by default.

      P.S. This is off-topic. If you need more info I suggest to ask additional questions on Firefox forum.

  3. @j-mailor

    I have tried changing the TLS version "max" setting with Amazon.com, and it appears to work. That website only accepts SSL 3 or TLS 1. I used smartsniff for Nirsoft since Firefox doesn’t list the version easily.

    In Firefox 23, TLS 1.1 is supported and works (and falls back) when you set the max setting in about:config to 2, setting it to 3 causes the program to fallback to TLS 1 or SSL 3 in all cases. I am wrong about that, because in my previous comment, I said it would be good to set the value to 3, until version 24 comes out.

    Setting the max setting in Firefox beta 24 revisions 6 and above to "3," as far as I have tested, will allow both TLS 1.2 and fallbacks seamlessly.