Name | CVE-2013-3587 |
Description | The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
not something we can concretely fix somewhere
mitigations must be done in webapps
http://web.archive.org/web/20160304210825/http://breachattack.com/
https://bugzilla.redhat.com/show_bug.cgi?id=995168
https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/
https://www.mail-archive.com/dev@httpd.apache.org/msg57592.html