On 13 August 2013 at 8:54:30 PM, Ryan Schmidt ([email protected]) wrote:
On Aug 13, 2013, at 19:50, Aria Stewart wrote: > It’s a systemic flaw in the way that compression interacts with encryption. > The best ways to defeat it are to make your compression unpredictable to an > order of magnitude that outstrips the ability to guess what the content is by > how it’s compressed given enough tries. > > It’s hard to fix statistical attacks without letting the details leak into > the layers above. In this case, adding random data in certain places in the > stream is what’s needed — but that means altering the content, it’s not a > simple transform that can be done at low layers. Yeah, that sounds like it's going way over my head. What is the vulnerability? that compressed data transmitted over SSL can be intercepted by third-parties? but that uncompressed data cannot be? Yeah. With enough inputs (and preferably some way to tweak the stream — like, perhaps, sending messages to a user, or if there’s a time displayed in the stream — or there’s a date header like in http), one can read what is sent over the channel with some certainty given enough requests. It’s not usually enough to read the entire page, but certain content could be — things like session keys are certainly high-value and small enough to get. Adding randomness to the stream in the right places can insulate sensitive data from being revealed in the length of the encrypted data. That said, I’m no cryptographer, just a programmer who thinks she understands statistics and compression (and so far hasn’t seemed to do anything too bone-headed with crypto that she knows of). —Aria -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
