BREACH
Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext
Related warning
"This server is vulnerable to a BREACH attack. Disable HTTP compression for cross-site requests, or when the header is not present in a request. Unlike a CRIME vulnerability, turning off TLS compression is not a solution. BREACH exploits the compression in the underlying HTTP protocol."
Problem
The Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH) vulnerability targets HTTP compression. The attacker manipulates the use of HTTP-level compression to extract information from HTTPS-protected data. This information includes email addresses, security tokens, and other plain text strings.
Basically, the attacker forces your browser to connect to a TLS-enabled website. Using a MITM (man-in-the-middle-attack), they monitor the traffic between you and the site server.
Solution
Web Server
Turn off compression for pages that include PII (Personally Identifiable Information).
Web Browser
Force the browser not to invite HTTP compression use.
Web Applications
Consider moving to cipher AES-128.
Remove compression support on dynamic content.
Separate secrets from user input.
Use rate-limiting requests.