Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 24 Sep 2013 01:29:11 -0400 (EDT)
Subject: Re: SSL BREACH

Hash: SHA1

>Date: Tue, 6 Aug 2013 20:11:53 -0400 (EDT)

>>I assume this will get handled like CVE-2009-3555?
>MITRE has looked at this in some depth but has not yet decided whether
>this can be treated as a vulnerability in a protocol, with one CVE
>shared across every product. We do realize that
> currently contains one CVE ID.

Our current thought is that BREACH is not a vulnerability in the HTTPS
protocol, and instead should be considered a vulnerability class. In
this view, there would be one CVE for each independent codebase that
can be successfully attacked using the BREACH exploit methodology.

As a vulnerability class, BREACH is somewhat similar to the XSS
vulnerability class. They are both about limitations on what a web
site can safely do with untrusted client input:

  Reflected cross-site scripting (XSS) - your web site must
  not take arbitrary markup strings from a client and include
  them verbatim in an HTML document within an HTTP response

  Cross-site duplicate compression (XSDC, aka BREACH) - your web
  site (sometimes) must not take arbitrary strings from a
  client and include them verbatim in the input to a compression
  algorithm used for an HTTPS response

(This is just a way to outline why we think that the
one-CVE-per-codebase approach makes sense. It doesn't mean that MITRE
is necessarily in favor of adopting this "XSDC" terminology.)

MITRE is not currently seeing many reports in which the BREACH issue
is being associated with an affected codebase of a specific web
application. Maybe the only public example is the OWA codebase
mentioned in the original BREACH paper:,%20gone%20in%2030%20seconds.pdf

(Yes, we realize that BREACH exploitation, in general, depends both on
details of the web application and on details of the web-server
configuration. As a practical matter, the details of the web
application are very likely to be the limiting factor on the overall
population size of exploitable web sites.)

There are other reports indicating that other types of products can or
should be fixed because they contribute to the possibility of a
successful BREACH attack against a specific web application, but no
specific web application is identified, e.g.,

Open source:

Non-open source:

There is nothing yet suggesting that a huge number of CVEs will
ultimately come out of this.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.