Summary:
BREACH is a side-channel attack to HTTPS that allows an attacker to obtain victims’ credentials under certain conditions. An attacker with a privileged position on the network can guess character by character a secret session key just by analyzing the size of the responses returned by the server over HTTPS and encrypted. Heal the Breach (HTB) is the proposed technique to mitigate BREACH attack by randomly changing the size of server responses through a modified gzip library. The attacker needs a precision of one byte in the size of the responses to be able to determine if a guess character is part of the secret token. Since the modified gzip library introduces randomness in the size of the response, BREACH becomes ineffective. The only way to circumvent this protection is to make several requests and compute the average size of the response, which minimizes the random effect. Mathematical and experimental results show that, for a random variation of the size from 1 to 10 bytes, an attacker needs to analyze 500 times more packages to obtain enough accuracy and surpass this mitigation. However, if the number of requests increases it is easier to isolate and block the attack using standard Intrusion Detection Systems (IDS). Compared to other mitigations, the approach presented in this paper is very effective, easy to implement for all websites hosted in the server, and produces a negligible increase in normal traffic.
Spanish layman's summary:
BREACH es un ataque de canal lateral a HTTPS que permite robar claves secretas de páginas web. HTB (Heal-the-BREACH) es una mitigación que introduce una pequeña variación aleatoria en el tamaño de las respuestas del servidor, que confunden al atacante. HTB está deseñador para proteger todos los sitios web de un servidor.
English layman's summary:
BREACH is a side-channel attack to HTTPS for stealing secret tokens embedded in web pages. HTB (Heal-the-BREACH) is a mitigation that introduces a small randomness in the size of the webpages returned by a server that fools the algorithm of the attack. HTB is designed to protect all websites in a server.
Keywords: BREACH, CRIME, gzip library, HTTPs, side-channel attacks.
JCR Impact Factor and WoS quartile: 3,900 - Q2 (2022); 3,400 - Q2 (2023)
DOI reference: https://doi.org/10.1109/ACCESS.2022.3166175
Published on paper: 2022.
Published on-line: April 2022.
Citation:
R. Palacios, A. Fariña Fernández-Portillo, E.F. Sánchez-Úbeda, P. García-de-Zúñiga, HTB: a very effective method to protect web servers against BREACH attack to HTTPS. IEEE Access. Vol. 10, pp. 40381 - 40390, 2022. [Online: April 2022]