[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 16 Aug 2013 19:20:06 +0200
From: Stefan Fritsch <sf@...itsch.de>
To: oss-security@...ts.openwall.com
Subject: Re: SSL BREACH
Am Dienstag, 6. August 2013, 20:11:53 schrieb cve-assign@...re.org:
> >I assume this will get handled like CVE-2009-3555?
> >
> >http://threatpost.com/breach-compression-attack-steals-https-secret
> >s-in-under-30-seconds/101579
> >
> >http://it.slashdot.org/story/13/08/05/233216
> >
> >https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/
>
> MITRE has looked at this in some depth but has not yet decided
> whether this can be treated as a vulnerability in a protocol, with
> one CVE shared across every product. We do realize that
> http://www.kb.cert.org/vuls/id/987798 currently contains one CVE ID.
Not sure if anyone had this idea before: Browsers could mitigate this
by not sending "Accept-Encoding: gzip" if a request is cross-domain
and contains some sort of credentials (HTTP-auth, cookies with the
'secure' attribute, client certificate, ...). This would stop the vast
majority of attack scenarios while leaving compression enabled for
most requests.
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
