PRACTICAL NEW DEVELOPMENTS IN THE BREACH ATTACK presented at BlackHatAsia 2016

by Dimitris Karakostas, Dionysios Zindros,

Summary : In 2013, BREACH was the sensation of Black Hat USA, introducing a still not mitigated attack vector that exploited compression to compromise SSL connections.
In this talk, we propose new methods to practically extend the attack against the most commonly used encryption ciphers. We describe a command-and-control technique to exploit plain HTTP connections in order to perform the attack in a persistent manner. We also present new statistical methods that can be used to bypass noise present in block ciphers as well as to avoid noise present in usual web applications. Parallelization and optimization techniques are also explored.
We will close the talk by proposing novel mitigation techniques. Finally, we will reveal our tool implementation, as well as experimental results on popular web services.