httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <>
Subject Re: breach attack
Date Sun, 11 Aug 2013 23:35:18 GMT
> What do you think of including a header? Is there a way to find out
> from the encrypted traffic where the header ends and where the body
> starts?

For a typical request they are in separate SSL records and someone running
a packet capture can tell when the headers or body has grown.  We could
arrange for the headers to always span an SSL record, and put a variable
length one at the bottom  -- but that only helps if the secret and request
data are in the first frame.

View raw message