On Fri, Aug 09, 2013 at 06:37:50PM -0400, Eric Covener wrote: >> It would be interesting to see how feasible “barriers” in mod_deflate would >> be. E.g., if my application outputs >> >> <input type="hidden" name="csrftoken" DEFLATE_BARRIER_START value="1234" >> DEFLATE_BARRIER_END> >> >> maybe mod_deflate could be taught not to compress the parts in-between. > For this attack, it would be enough to compress that section by itself > -- a barrier between the reflected user input and the "secret".
Indeed. (Or just avoid compressing it altogether.) But there's no simple way of sending that signal to mod_deflate now that I know of. /* Steinar */ -- Homepage: http://www.sesse.net/
