On Fri, Aug 9, 2013 at 5:24 PM, Steinar H. Gunderson <[email protected]> wrote: > On Tue, Aug 06, 2013 at 01:32:00PM -0400, Eric Covener wrote: >> Another option in this neighborhood is small/varying deflate blocks. >> But that probably limits the usefulness of deflate to the same extent >> that it helps. The idea is to make it less likely that the user input >> and secret get compressed together. > > It would be interesting to see how feasible “barriers” in mod_deflate would > be. E.g., if my application outputs > > <input type="hidden" name="csrftoken" DEFLATE_BARRIER_START value="1234" > DEFLATE_BARRIER_END> > > maybe mod_deflate could be taught not to compress the parts in-between.
For this attack, it would be enough to compress that section by itself -- a barrier between the reflected user input and the "secret".
