"Security experts are warning website operators to test whether their HTTPS traffic is vulnerable to a new crypto attack that can be used to grab sensitive information.
The so-called BREACH attack -- short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext -- was detailed in a Department of Homeland Security (DHS) "BREACH vulnerability in compressed HTTPS" advisory, issued Friday, which warned that "a sophisticated attacker may be able to derive plaintext secrets from the ciphertext in an HTTPS stream." All versions of the transport layer security (TLS) and secure sockets layer (SSL) protocols are vulnerable"
Original issue from HS:
"By observing the length of compressed HTTPS responses, an attacker may be able to derive plaintext secrets from the ciphertext of an HTTPS stream."
http://www.kb.cert.org/vuls/id/987798
Questions to the gurus on this forum:
1) Does anyone know if this vulnerability can also impact use of other SSL/TLS types of access such as ssh or vpn?
2) If above is true, is does this mean the using VPN or SSH on public wifi is at risk?
3) Do we now need to consider additional encryption over HTTP/HTTPS?
4) Any special impact to VPS?
5) Any other constructive thoughts and comments welcome.