HTTP"not?"S

Yevrag35 · Aug 7, 2013

HTTPS now hackable in under 30 seconds: HTTPS Hackable In 30 Seconds: DHS Alert - Security - Attacks/breaches

The perp still has to be already inside the local network, but this really underscores the importance for businesses and institutions to setup stringent policies that restrict non-essential user access to local resources.

office politics · Aug 15, 2013

Vulnerability Note VU#987798 - BREACH vulnerability in compressed HTTPS

Solution

We are currently unaware of a practical solution to this problem. Please consider the following workarounds.

Some of these mitigations may protect entire applications, while others may only protect individual web pages.
â€¢Disable HTTP compression.
â€¢Separate the secrets from the user input.
â€¢Randomize the secrets in each client request.
â€¢Mask secrets (effectively randomizing by XORing with a random secret per request).
â€¢Protect web pages from CSRF attacks.
â€¢Obfuscate the length of web responses by adding random amounts of arbitrary bytes.

HTTP"not?"S

Yevrag35

Pushing Daisies on Saturn

office politics

It's all just 1s and 0s

Similar threads