- From: =JeffH <Jeff.Hodges@KingsMountain.com>
- Date: Thu, 28 Apr 2016 15:04:45 -0700
- To: HTTP Working Group <ietf-http-wg@w3.org>
https://ruptureit.com/ Practical New Developments on BREACH Dimitris Karakostas and Dionysis Zindros <https://raw.github.com/dionyziz/rupture/develop/etc/Black%20Hat%20Asia%202 016/asia-16-Practical-New-Developments-In-The-BREACH-Attack-wp.pdf> [...] 7.2 First-party cookies The feasibility of the attack lies on the fact that the attacker can utilize the target service as a compression oracle and retrieve encrypted compressed secrets along with chosen plaintext data. This is possible due to the fact that authentication cookies are included in crossorigin requests. However, this inclusion is completely unnecessary for most web applications. The ability to mark cookies as first-party only will eliminate the existence of the oracle. The first-party cookies proposal [14] describes such a mechanism, with the purpose of avoiding CSRF attacks. Interestingly, the same mechanism can be used to defend against compression side-channel attacks and eliminates the possibility completely. This proposal is still in draft stage and has not been implemented in any browser. We urge browser vendors to adopt it immediately and web service authors to opt-in. [...] https://tools.ietf.org/html/draft-west-first-party-cookies
Received on Thursday, 28 April 2016 22:05:32 UTC