oss-sec mailing list archives
Re: SSL BREACH
From: Stefan Fritsch <sf () sfritsch de>
Date: Fri, 16 Aug 2013 19:20:06 +0200
Am Dienstag, 6. August 2013, 20:11:53 schrieb cve-assign () mitre org:
I assume this will get handled like CVE-2009-3555? http://threatpost.com/breach-compression-attack-steals-https-secret s-in-under-30-seconds/101579 http://it.slashdot.org/story/13/08/05/233216 https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/MITRE has looked at this in some depth but has not yet decided whether this can be treated as a vulnerability in a protocol, with one CVE shared across every product. We do realize that http://www.kb.cert.org/vuls/id/987798 currently contains one CVE ID.
Not sure if anyone had this idea before: Browsers could mitigate this by not sending "Accept-Encoding: gzip" if a request is cross-domain and contains some sort of credentials (HTTP-auth, cookies with the 'secure' attribute, client certificate, ...). This would stop the vast majority of attack scenarios while leaving compression enabled for most requests.
Current thread:
- SSL BREACH Kurt Seifried (Aug 06)
- Re: SSL BREACH cve-assign (Aug 06)
- Re: SSL BREACH Stefan Fritsch (Aug 16)
- Re: SSL BREACH cve-assign (Sep 23)
- Re: SSL BREACH cve-assign (Aug 06)