World Library  
Flag as Inappropriate
Email this Article

BREACH (security exploit)

Article Id: WHEBN0040351757
Reproduction Date:

Title: BREACH (security exploit)  
Author: World Heritage Encyclopedia
Language: English
Subject: Cryptography, CRIME, Botan (programming library), Certificate Transparency, RSA BSAFE
Collection: Chosen-Plaintext Attacks, Computer Security Exploits, Cryptography, Data Compression, Transport Layer Security, Web Security Exploits
Publisher: World Heritage Encyclopedia

BREACH (security exploit)

BREACH (a backronym Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext) is a security exploit against HTTPS when using HTTP compression. BREACH is built based on the CRIME security exploit. BREACH was announced at the August 2013 Black Hat conference by security researchers Angelo Prado, Neal Harris and Yoel Gluck.


  • Details 1
  • Mitigation 2
  • References 3
  • External links 4


While the CRIME attack was presented as a general attack that could work effectively against a large number of protocols, only exploits against SPDY request compression and TLS compression were demonstrated and largely mitigated in browsers and servers. The CRIME exploit against HTTP compression has not been mitigated at all, even though the authors of CRIME have warned that this vulnerability might be even more widespread than SPDY and TLS compression combined.

BREACH is an instance of the CRIME attack against HTTP compression - the use by many web browser and web servers of gzip or DEFLATE data compression algorithms via the content-encoding option within HTTP.[1] Given this compression oracle, the rest of the BREACH attack follows the same general lines as the CRIME exploit, by performing an initial blind brute-force search to guess a few bytes, followed by divide-and-conquer search to expand a correct guess to an arbitrarily large amount of content.


BREACH exploits the compression in the underlying HTTP protocol. Therefore, turning off TLS compression makes no difference to BREACH, which can still perform a chosen-plaintext attack against the HTTP payload.[2]

As a result, clients and servers are either forced to disable HTTP compression completely, reducing performance, or to adopt workarounds to try to foil BREACH in individual attack scenarios, such as using

  • Tool that runs the BREACH attack demonstrated at BlackHat 2013

External links

  1. ^
  2. ^
  3. ^
  4. ^


Another suggested approach is to disable HTTP compression whenever the referrer header indicates a cross-site request, or when the header is not present.[4] This approach allows effective mitigation of the attack without losing functionality, only incurring a performance penalty on affected requests.


This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.