Date: Fri, 16 Aug 2013 19:20:06 +0200 From: Stefan Fritsch <sf@...itsch.de> To: oss-security@...ts.openwall.com Subject: Re: SSL BREACH Am Dienstag, 6. August 2013, 20:11:53 schrieb cve-assign@...re.org: > >I assume this will get handled like CVE-2009-3555? > > > >http://threatpost.com/breach-compression-attack-steals-https-secret > >s-in-under-30-seconds/101579 > > > >http://it.slashdot.org/story/13/08/05/233216 > > > >https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/ > > MITRE has looked at this in some depth but has not yet decided > whether this can be treated as a vulnerability in a protocol, with > one CVE shared across every product. We do realize that > http://www.kb.cert.org/vuls/id/987798 currently contains one CVE ID. Not sure if anyone had this idea before: Browsers could mitigate this by not sending "Accept-Encoding: gzip" if a request is cross-domain and contains some sort of credentials (HTTP-auth, cookies with the 'secure' attribute, client certificate, ...). This would stop the vast majority of attack scenarios while leaving compression enabled for most requests.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.