httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: breach attack
Date Fri, 09 Aug 2013 22:37:50 GMT
On Fri, Aug 9, 2013 at 5:24 PM, Steinar H. Gunderson
<sgunderson@bigfoot.com> wrote:
> On Tue, Aug 06, 2013 at 01:32:00PM -0400, Eric Covener wrote:
>> Another option in this neighborhood is small/varying deflate blocks.
>> But that probably limits the usefulness of deflate to the same extent
>> that it helps.  The idea is to make it less likely that the user input
>> and secret get compressed together.
>
> It would be interesting to see how feasible “barriers” in mod_deflate would
> be. E.g., if my application outputs
>
>   <input type="hidden" name="csrftoken" DEFLATE_BARRIER_START value="1234" DEFLATE_BARRIER_END>
>
> maybe mod_deflate could be taught not to compress the parts in-between.

For this attack, it would be enough to compress that section by itself
-- a barrier between the reflected user input and the "secret".

Mime
View raw message