CRIME/BREACH attacks exploiting TLS and HTTP compression

6/10 Medium

TLS-level and HTTP-level compression can leak secret data like CSRF tokens through compression side-channels. Teams must carefully handle compression of responses containing secrets.

SSL/TLS
Category
security
Workaround
solid
Stage
deploy
Freshness
declining
Scope
cross_platform
Upstream
wontfix
Recurring
No
Buyer Type
team

Sources

Collection History

Query: “What are the most common pain points with SSL/TLS for developers in 2025?4/9/2026

CRIME / BREACH: Attacks on TLS compression and HTTP compression (especially with reflected secrets in responses). Mitigation: disable TLS-level compression and carefully handle compression of responses containing secrets like CSRF tokens.

Created: 4/9/2026Updated: 4/9/2026