Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3155530.eGWR7f6goc@k>
Date: Fri, 16 Aug 2013 19:20:06 +0200
From: Stefan Fritsch <sf@...itsch.de>
To: oss-security@...ts.openwall.com
Subject: Re: SSL BREACH

Am Dienstag, 6. August 2013, 20:11:53 schrieb cve-assign@...re.org:
> >I assume this will get handled like CVE-2009-3555?
> >
> >http://threatpost.com/breach-compression-attack-steals-https-secret
> >s-in-under-30-seconds/101579
> >
> >http://it.slashdot.org/story/13/08/05/233216
> >
> >https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/
> 
> MITRE has looked at this in some depth but has not yet decided
> whether this can be treated as a vulnerability in a protocol, with
> one CVE shared across every product. We do realize that
> http://www.kb.cert.org/vuls/id/987798 currently contains one CVE ID.

Not sure if anyone had this idea before: Browsers could mitigate this 
by not sending "Accept-Encoding: gzip" if a request is cross-domain 
and contains some sort of credentials (HTTP-auth, cookies with the 
'secure' attribute, client certificate, ...). This would stop the vast 
majority of attack scenarios while leaving compression enabled for 
most requests.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.