My understanding of such attacks is that they require a point-of-presence within the browser to perform the injection which in turn enables the side channel. As clients/users won't be interacting with the API using a browser I'm not 100% convinced that we need to worry about defending against BREACH/CRIME on the API endpoints but that *Horizon is a valid concern*.
I've not checked but I doubt the API endpoints use transport compression, meaning that even if a user were to attempt to interact with an endpoint directly using a compromised browser the attack would not succeed. > -----Original Message----- > From: Robert Collins [mailto:[email protected]] > Sent: 07 August 2013 10:21 > To: OpenStack Development Mailing List > Subject: Re: [openstack-dev] [Horizon][Security] BREACH/CRIME Attack > Information > > On 7 August 2013 20:30, Thierry Carrez <[email protected]> wrote: > > Gabriel Hurley wrote: > >> Many of you have probably heard about the "BREACH" attack/security > vulnerability in HTTPS traffic that was disclosed recently, and I'd like to take > a moment to provide some info about how that affects Horizon. I'm not > following the official vulnerability management process because 1. The > vulnerability is already disclosed publicly, 2. Workaround information has > already been published by Django and many others, and 3. There's no one- > off code fix on our end so awareness is the best possible thing. > > > > Agree that there is nothing to patch in our code at this point and > > therefore no base for an OpenStack Security Advisory (OSSA). The > > information you provided would still make a great OpenStack Security > > Note (OSSN), though. Those are issued by the OpenStack Security Group, > > I CC-ed Rob Clark so that he puts it on his radar. > > Note that our API services are likely a rich target too - when running under > SSL it should be fairly straight forward to get minor changes to the payload > from keystone (e.g. with repeated token calls - but I don't know the API well > enough to speculate in detail). > > -Rob > > -- > Robert Collins <[email protected]> > Distinguished Technologist > HP Converged Cloud > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
