Pinboard (jm)
https://pinboard.in/u:jm/public/
recent bookmarks from jmIvan Ristić: Defending against the BREACH attack2013-08-07T20:33:04+00:00
http://blog.ivanristic.com/2013/08/defending-against-the-breach-attack.html
jmThe award for least-intrusive and entirely painless mitigation proposal goes to Paul Querna who, on the httpd-dev mailing list, proposed to use the HTTP chunked encoding to randomize response length. Chunked encoding is a HTTP feature that is typically used when the size of the response body is not known in advance; only the size of the next chunk is known. Because chunks carry some additional information, they affect the size of the response, but not the content. By forcing more chunks than necessary, for example, you can increase the length of the response. To the attacker, who can see only the size of the response body, but not anything else, the chunks are invisible. (Assuming they're not sent in individual TCP packets or TLS records, of course.) This mitigation technique is very easy to implement at the web server level, which makes it the least expensive option. There is only a question about its effectiveness. No one has done the maths yet, but most seem to agree that response length randomization slows down the attacker, but does not prevent the attack entirely. But, if the attack can be slowed down significantly, perhaps it will be as good as prevented.
]]>mitm attacks hacking security compression http https protocols tls ssl tcp chunked-encoding apachehttps://pinboard.in/https://pinboard.in/u:jm/b:13c0a7ba2031/