Re: SSL BREACH

[Stefan Fritsch <sf () sfritsch de>]

Am Dienstag, 6. August 2013, 20:11:53 schrieb cve-assign () mitre org:
> > I assume this will get handled like CVE-2009-3555?
> >
> > http://threatpost.com/breach-compression-attack-steals-https-secret
> > s-in-under-30-seconds/101579
> >
> > http://it.slashdot.org/story/13/08/05/233216
> >
> > https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/
>
> MITRE has looked at this in some depth but has not yet decided
> whether this can be treated as a vulnerability in a protocol, with
> one CVE shared across every product. We do realize that
> http://www.kb.cert.org/vuls/id/987798 currently contains one CVE ID.

Not sure if anyone had this idea before: Browsers could mitigate this 
by not sending "Accept-Encoding: gzip" if a request is cross-domain 
and contains some sort of credentials (HTTP-auth, cookies with the 
'secure' attribute, client certificate, ...). This would stop the vast 
majority of attack scenarios while leaving compression enabled for 
most requests.