On Sat, Oct 3, 2015 at 4:54 PM, Yoav Nir <ynir.i...@gmail.com> wrote:
> An even more executive-level lesson might be that security layers should > not provide non-security services, but that is not really convincing > because if there was a separate compression layer that you could compose > with the security layer in TLS, CRIME would still be possible. To compress > HTTP without the danger of CRIME you need to either not compress header > fields with sensitive information, not compress header fields that might be > controlled by an attacker, or at least delegate those to a separate > compression state. The attack you're describing (or one fairly close to it) already happened, and it's called BREACH. It impacts HTTP compression, and allows attackers to recover things like CSRF tokens in page bodies. The takeaway for me is you can't mix compression, any fixed value an attacker wishes to learn, and attacker-controlled data, or there will be a compression side-channel. -- Tony Arcieri
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
