It was found that by observing the length of compressed HTTPS responses, an attacker may be able to derive plaintext secrets from the ciphertext of an HTTPS stream. This attack known as BREACH (Browser Reconnaissance and Extration via Adaptive Compression of Hypertext) was demonstrated by researchers at the Blackhat Conference (USA) 2013.

More details about the flaw along with the research paper is available at:

http://breachattack.com/
http://www.kb.cert.org/vuls/id/987798
https://media.blackhat.com/us-13/US-13-Prado-SSL-Gone-in-30-seconds-A-BREACH-beyond-CRIME-WP.pdf
https://community.qualys.com/blogs/securitylabs/2013/08/07/defending-against-the-breach-attack

Several mitigations have been proposed for the attack, these include the following:

1. Disable HTTP compression.
2. Separate the secrets from the user input.
3. Randomize the secrets in each client request.
4. Mask secrets (effectively randomizing by XORing with a random secret per request).
5. Protect web pages from CSRF attacks.
6. Obfuscate the length of web responses by adding random amounts of arbitrary bytes.