Big Bug in SSL : breach compression attack (CVE-2013-3587) affect imgur.com

Hi imgur Security Team, This is an urgent issue and wish you fix it as soon as possible ... so this web application " imgur.com " " is potentially vulnerable to the BREACH attack. An attacker with the ability to: Inject partial chosen plaintext into a victim's requests Measure the size of encrypted traffic can leverage information leaked by compression to recover targeted parts of the plaintext. BREACH (Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext) is a category of vulnerabilities and not a specific instance affecting a specific piece of software. To be vulnerable, a web application must: Be served from a server that uses HTTP-level compression Reflect user-input in HTTP response bodies Reflect a secret (such as a CSRF token) in HTTP response bodies URL: /signin/ Attack details This alert was issued because the following conditions were met: The page content is served via HTTPS The server is using HTTP-level compression URL encoded GET input redirect was reflected into the HTTP response body. HTTP response body contains a secret named csrf The impact of this vulnerability An attacker can leverage information leaked by compression to recover targeted parts of the plaintext. How to fix this vulnerability The mitigations are ordered by effectiveness (not by their practicality - as this may differ from one application to another). Disabling HTTP compression Separating secrets from user input Randomizing secrets per request Masking secrets (effectively randomizing by XORing with a random secret per request) Protecting vulnerable pages with CSRF Length hiding (by adding random number of bytes to the responses) Rate-limiting the requests Good Fix ,