http://www.darkreading.com/vulnerability/https-side-channel-attack-a-tool-for-enc/240157583
We do not have the details yet. But it seems like this will be yet another variant of the 'in the browser' adaptive plaintext attack against SSL enabling cookie stealing. There are two problems we need to fix: 1) Whatever the latest SSL issue is. 2) Stop using bearer tokens for authentication. I anticipated this attack (it is the third time round after all) which is why I wrote the session ID scheme as a drop in replacement for cookies. In the short term sites would have to support both schemes as a transitional measure but given the current transition to HTML5 it is entirely likely that some sites can force a transition sooner. http://www.ietf.org/id/draft-hallambaker-httpsession-01.txt -- Website: http://hallambaker.com/
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
