Stefan Fritsch wrote:
Am Dienstag, 6. August 2013, 10:24:15 schrieb Paul Querna:
1) Disabling HTTP compression
2) Separating secrets from user input
3) Randomizing secrets per request
4) Masking secrets (effectively randomizing by XORing with a random
secret per request)
5) Protecting
On Fri, Aug 9, 2013 at 12:11 AM, Ruediger Pluem rpl...@apache.org wrote:
Stefan Fritsch wrote:
Am Dienstag, 6. August 2013, 10:24:15 schrieb Paul Querna:
1) Disabling HTTP compression
2) Separating secrets from user input
3) Randomizing secrets per request
4) Masking secrets (effectively
On Fri, Aug 09, 2013 at 09:14:51AM -0700, Paul Querna wrote:
In this case, I don't know if any of the proposed mitigations help;
I'd love to have an easy way to validate that, so we could bring data
to the discussion: If it increases the attack by multiple hours, and
causes a 1% performance
On Tue, Aug 6, 2013 at 1:32 PM, Eric Covener cove...@gmail.com wrote:
On Tue, Aug 6, 2013 at 1:24 PM, Paul Querna p...@querna.org wrote:
Hiya,
Has anyone given much thought to changes in httpd to help mitigate the
recently publicized breach attack:
http://breachattack.com/
From
Am Dienstag, 6. August 2013, 10:24:15 schrieb Paul Querna:
1) Disabling HTTP compression
2) Separating secrets from user input
3) Randomizing secrets per request
4) Masking secrets (effectively randomizing by XORing with a random
secret per request)
5) Protecting vulnerable pages with CSRF
Hiya,
Has anyone given much thought to changes in httpd to help mitigate the
recently publicized breach attack:
http://breachattack.com/
From an httpd perspective, looking at the mitigations
http://breachattack.com/#mitigations
1) Disabling HTTP compression
2) Separating secrets from user
On Tue, Aug 6, 2013 at 1:24 PM, Paul Querna p...@querna.org wrote:
Hiya,
Has anyone given much thought to changes in httpd to help mitigate the
recently publicized breach attack:
http://breachattack.com/
From an httpd perspective, looking at the mitigations
http://breachattack.com
On Tue, Aug 6, 2013 at 10:32 AM, Eric Covener cove...@gmail.com wrote:
On Tue, Aug 6, 2013 at 1:24 PM, Paul Querna p...@querna.org wrote:
Hiya,
Has anyone given much thought to changes in httpd to help mitigate the
recently publicized breach attack:
http://breachattack.com/
From an httpd
the
recently publicized breach attack:
http://breachattack.com/
From an httpd perspective, looking at the mitigations
http://breachattack.com/#mitigations
1) Disabling HTTP compression
2) Separating secrets from user input
3) Randomizing secrets per request
4) Masking secrets (effectively randomizing
traffic
and decrypting it later; the Breach attack stuff is about a chosen
plaintext attack on compressed response bodies -- afaik they have not
overlapping mitigations?
But in general, we should rev our defaults in configuration to help
with all of the above :)
On Tuesday 06/08/2013 at 19:24, Paul
On 06.08.2013 19:36, Paul Querna wrote:
On Tue, Aug 6, 2013 at 10:32 AM, Eric Covener cove...@gmail.com wrote:
On Tue, Aug 6, 2013 at 1:24 PM, Paul Querna p...@querna.org wrote:
Hiya,
Has anyone given much thought to changes in httpd to help mitigate the
recently publicized breach attack
11 matches
Mail list logo
