On 8 August 2013 02:07, Clark, Robert Graham <[email protected]> wrote: > My understanding of such attacks is that they require a > point-of-presence within the browser to perform the injection which in > turn enables the side channel. As clients/users won't be interacting > with the API using a browser I'm not 100% convinced that we need to > worry about defending against BREACH/CRIME on the API endpoints but that > *Horizon is a valid concern*.
They need a means to trigger repeated *responses* with slightly differing payloads. One way to trigger that would be code that asks for the same thing thousands of times : which btw a lot of our infrastructure does :(. > I've not checked but I doubt the API endpoints use transport > compression, meaning that even if a user were to attempt to interact > with an endpoint directly using a compromised browser the attack would > not succeed. Any compression that leaks sufficient size data in a side channel will do AIUI, whether it's entity compression, header compression or transport compression. -Rob -- Robert Collins <[email protected]> Distinguished Technologist HP Converged Cloud _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
