CRIME and BREACH attacks, HTTP/2 and HTTP/3 #83365

alexandrehtrb · 2023-03-14T00:50:39Z

alexandrehtrb
Mar 14, 2023

Hello,

I have been reading on CRIME and BREACH attacks and I want to learn better how to protect against them.

From what I understood, those attacks require TLS encryption over HTTP compression and HTTP content reflecting an user input.

My questions are:

HTTP/2 uses HPACK and HTTP/3 uses QPACK header compressions, which are secure against CRIME and BREACH. If my secret data is only in headers, does that mean that I can safely use HTTP compression, with HTTP/2 or HTTP/3?
If only a part of the HTTP response is compressed (e.g., the body), but the secrets are not compressed, is it safe?

Xyncgas · 2023-03-14T10:24:01Z

Xyncgas
Mar 14, 2023

Spectre is still not fixed it's dommed
My speculation is the vulnerability wouldn't exist if you are not using its attack surface
if you are using a secure method of compression then it's secure

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CRIME and BREACH attacks, HTTP/2 and HTTP/3 #83365

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

CRIME and BREACH attacks, HTTP/2 and HTTP/3 #83365

Uh oh!

Uh oh!

alexandrehtrb Mar 14, 2023

Replies: 1 comment

Uh oh!

Uh oh!

Xyncgas Mar 14, 2023

alexandrehtrb
Mar 14, 2023

Xyncgas
Mar 14, 2023