Monday, August 19, 2013

Once more unto the BREACH...

Security: noun. The state of being free from danger or threat.

Security is a powerful word on the web. Secure Online Banking, Secure Logins, Secure Portals, Secure Searches, all are now common parts of web vernacular. We have a Secure Web Gateway as part of our product line up. The basis for much of this security is TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer).

BREACH (Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext) is an attack on TLS and SSL. Details are a search away ("tls breach attack" is a good start). The result is that an attacker can theoretically extract specific pieces of information from a secure exchange between client and server, like a bank account number or password reset link. The clever bit is that it takes advantage of, and indeed relies on, the fact that this information is compressed as well as encrypted. Servers routinely compress data sent to the client to save bandwidth, but this relies on both parties agreeing to a compression scheme which is accomplished by the client advising the server in the initial request which compression schemes it supports. This is where a nifty new Smoothwall feature comes in. Combined with an older, more entrenched capability, it can help mitigate the BREACH threat. Ironically, this is accomplished by interfering with a secure process.
Regular readers of and other Smoothwall users will be aware of YouTube For Schools, which makes use of Smoothwall’s header insertion capability to inform YouTube that the client is only allowed access to educational videos. Combining this with HTTPS inspection, (which is effectively a man in the middle attack, akin to a switchboard operator listening to a phone call and something SSL/TLS was designed specifically to prevent) we can override the header that specifies which compression schemes the client’s browser is willing to accept, effectively instructing the server not to compress data and putting a large blue spanner in the BREACH attack.
Who says you can’t fight fire with fire?

No comments:

Post a Comment