>If I get a chance, I'll try to apply the recent attacks by Rizzo et al. on TLS >compression and the compressed stream over TLS equivalent by Prado et al., >since I like >compression but I also send credentials over TLS :)
I guess you are referring to CRIME/BEAST, right? I haven't had a deep look into those, but it seems they require plaintext injection. In the context of WebSocket (using compression, and with transport over TLS), that would mean injecting WebSocket messages with chosen payload into the conversation between client and server. What I don't get: unless at least one of the endpoints have been compromised, how are you going to inject? And if an endpoint has been compromised, one might as well just grab the unencrypted stuff right away. What am I missing? /Tobias _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
