The Breach HTTPS vulnerability has been around for a while now and I’m not aware of any permanent fixes for it except for the extremely brutal approach of just disabling compression for a web site.
According to the Breach Attack web site, disabling compression for you web site is a sure fire way to mitigate the attack.
The downside of doing this however is that your pages are sent uncompressed. Hence they are bigger and take longer to download.
Usually this wouldn’t be that big a deal.
However, Search Giant Google uses page speed as a determining factor in which and where your site may turn up in it’s search results.
So if two sites are near identical then one may rank higher in search results than another site with similar content.
And everyone wants the Big Search Engines to return their site first since most people only look at the first few entries for a search result.
So by disabling compression you can hurt your search results and lose hits. And no one wants that.
What to do?
After some discussion it seems that some applications such as WordPress which have a plugin system, or a way to extend the base platform may be blessed by having someone write a plugin for it that may take care of the problem for you.
For WordPress one plugin does exist. It’s called Breach Avoider. With it you can leave compression enabled so you don’t lose your search ranking and you can still mitigate the potential of having someone use it against your site.
Breach Avoider does not disable compression but instead relies on other techniques that the discoverers of the crack have been able to use to mitigate the attack.
The one thing that did come up in conversation is that if the web page does not return any secrets, or login data most generally, then there isn’t anything to worry about anyways so you could potentially leave those pages as compressed when they are sent to the user. You would then use a scalpel via the .htaccess file to selectively disable compression for things such as logon pages.
So as the old saying goes if the disease doesn’t get you then the cure will you may need to pay attention to this one. Disabling compression mitigates the attack but may hurt your search results.
Enabling compression may improve your search results but leave you open to attack.
As usual, the choice is yours.
Google Pagespeed website – Test your loading time and get recommendations
The Breach Attack web site lists out the other ways to mitigate the attack.