BREACH

BREACH was announced at the August 2013 Black Hat conference by security researchers Angelo Prado, Neal Harris and Yoel Gluck.

Therefore, turning off TLS compression makes no difference to BREACH, which can still perform a chosen-plaintext attack against the HTTP payload.

[3] As a result, clients and servers are either forced to disable HTTP compression completely (thus reducing performance), or to adopt workarounds to try to foil BREACH in individual attack scenarios, such as using cross-site request forgery (CSRF) protection.

[5][6] This approach allows effective mitigation of the attack without losing functionality, only incurring a performance penalty on affected requests.

A very effective mitigation is HTB (Heal-the-BREACH)[8] that adds random-sized padding to compressed data, providing some variance in the size of the output contents.