"此伺服器難以抵禦 BREACH 攻擊。對於跨網站要求,或要求中沒有標頭時,停用 HTTP 壓縮。跟 Crime 漏洞不同,關閉 TLS 壓縮不是一個解決方案。BREACH 利用基本 HTTP 通訊協議中的壓縮。."
Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (透過可調整的超文字壓縮的瀏覽器偵查和滲透,簡稱 BREACH) 漏洞目標在 HTTP 壓縮。攻擊者操控 HTTP 等級壓縮的使用,從 HTTPS 保護的資料中解壓縮出資料,包括電郵地址、安全令牌和其他純文字字串。
基本上,攻擊者會強制您的瀏覽器連線到已啟用 TLS 的網站。使用 MITM (攻擊中間的人,他們監督您和網站伺服器之間的流量。
DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.
©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.