BREACH Avoider

Description

In August 2013, a new Web Vulnerability has been released, in some words : “HTTPS can be hacked in 30 seconds”.

If you’re using the HTTPS (TSL or SSL) at any level (admin, front, event for 1 page) you HAVE to protect your site against this flaw now.

How ? Just install this free plugin!

FAQ

What is BREACH?

This means “Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext”
Read this http://www.kb.cert.org/vuls/id/987798 and this http://breachattack.com/

How to protect against BREACH?

Some of these mitigations may protect entire applications, while others may only protect individual web pages.
1. Disable HTTP compression. (1)
2. Separate the secrets from the user input. (2)
3. Randomize the secrets in each client request. -> Done!
4. Mask secrets (effectively randomizing by XORing with a random secret per request). -> Done!
5. Protect web pages from CSRF attacks.
6. Obfuscate the length of web responses by adding random amounts of arbitrary bytes. -> Done!

(1) I do not recommand this because of lack of performance, at least, but you can do it yourself in you PHP.ini or .htaccess, google “how to disable http gzip compression”
(2) Can’t do this in WordPress.

Install this plugin and be protected as much as we can do in WordPress.

Changelog

1.3

  • 11 aug 2015
  • 4.3 support
  • Security hardening using wp_get_session_token() + hash_equals()

1.2

  • 29 aug 2013
  • New problem with pack() now, use my own function.

1.1

  • 29 aug 2013
  • hex2bin() is not always available, use a pack() instead

1.0

  • 29 aug 2013
  • First release

Contributors & Developers

This is open source software. The following people have contributed to this plugin.

Contributors

Browse the code