On implementing a client-server setting to prevent the Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH) attacks
Title | On implementing a client-server setting to prevent the Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH) attacks |
Publication Type | Conference Paper |
Year of Publication | 2016 |
Authors | Sankalpa, I., Dhanushka, T., Amarasinghe, N., Alawathugoda, J., Ragel, R. |
Conference Name | 2016 Manufacturing Industrial Engineering Symposium (MIES) |
Keywords | Bandwidth, BREACH attack, BREACH attacks, browser reconnaissance and exfiltration via adaptive compression of hypertext attacks, Browsers, client-server setting, client-server systems, Compression, Compression algorithms, confidentiality, cryptographic protocols, cryptography, data compression, data protection, DEFLATE compression algorithm, Dictionaries, encoding, Encryption, fixed-dictionary compression, high-value secrets protection, HTTP compression, Network reconnaissance, plaintext, pubcrawl, Resiliency, security, security model, Servers, SSL/TLS, TLS protocol, transport protocols, Web traffic |
Abstract | Compression is desirable for network applications as it saves bandwidth. Differently, when data is compressed before being encrypted, the amount of compression leaks information about the amount of redundancy in the plaintext. This side channel has led to the "Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH)" attack on web traffic protected by the TLS protocol. The general guidance to prevent this attack is to disable HTTP compression, preserving confidentiality but sacrificing bandwidth. As a more sophisticated countermeasure, fixed-dictionary compression was introduced in 2015 enabling compression while protecting high-value secrets, such as cookies, from attacks. The fixed-dictionary compression method is a cryptographically sound countermeasure against the BREACH attack, since it is proven secure in a suitable security model. In this project, we integrate the fixed-dictionary compression method as a countermeasure for BREACH attack, for real-world client-server setting. Further, we measure the performance of the fixed-dictionary compression algorithm against the DEFLATE compression algorithm. The results evident that, it is possible to save some amount of bandwidth, with reasonable compression/decompression time compared to DEFLATE operations. The countermeasure is easy to implement and deploy, hence, this would be a possible direction to mitigate the BREACH attack efficiently, rather than stripping off the HTTP compression entirely. |
URL | http://ieeexplore.ieee.org/document/7780263/ |
DOI | 10.1109/MIES.2016.7780263 |
Citation Key | sankalpa_implementing_2016 |
- Dictionaries
- Bandwidth
- BREACH attack
- BREACH attacks
- browser reconnaissance and exfiltration via adaptive compression of hypertext attacks
- Browsers
- client-server setting
- client-server systems
- Compression
- Compression algorithms
- confidentiality
- Cryptographic Protocols
- Cryptography
- data compression
- Data protection
- DEFLATE compression algorithm
- Web traffic
- encoding
- encryption
- fixed-dictionary compression
- high-value secrets protection
- HTTP compression
- Network reconnaissance
- plaintext
- pubcrawl
- Resiliency
- security
- security model
- Servers
- SSL/TLS
- TLS protocol
- transport protocols