A Solution to Compression Oracles on the Web

Blake Loring, a PhD student at Royal Holloway, University of London, discusses how web compression schemes can be exploited by attackers to extract secret information from encrypted messages using only the length of the response. This has led to attacks such as CRIME, BREACH, TIME and HEIST on TLS. To mitigate this issue, Loring worked at Cloudflare last summer on a project called cf-nocompress, which aims to develop a tool that automatically mitigates instances of these attacks without significantly impacting the effectiveness of compression. The solution involves selective compression, compressing only non-secret parts of a page, and using regular expressions to identify secrets within a response. A proof-of-concept implementation is available on GitHub.