AnsweredAssumed Answered

BREACH mitigation

Question asked by manu@qualys on Oct 14, 2013
Latest reply on Dec 6, 2015 by dutchman

There has been various BREACH mitigation technique proposed. The only one that is revelant for the system administrator is to drop cookies for requests that have a referer from outside. For Apache, this means:

 

SetEnvIfNoCase Referer ^https://www\.example\.com keep_cookies
RequestHeader unset Cookie env=!keep_cookies

 

That breaks a lot of things, but I wonder if it could not be used as a basis for another approach. BREACH is made possible by HTTP compression. Why not disable HTTP compression when referer is from outside? It is already advised to disable it for broken browsers we could just add the outside refere conditio, like this:

 

SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|zip|gz|tgz)$ no-gzip dont-vary
# BREACH migitation (untested)
SetEnvIfNoCase Referer ^https://vip\.espci\.fr no-gzip
Header append Vary User-Agent env=!dont-vary 

Does it make sense, or am I overlooking something?

Outcomes