- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Wed, 16 Jan 2013 16:55:08 -0800
- To: James M Snell <jasnell@gmail.com>
- Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On 11 January 2013 11:45, James M Snell <jasnell@gmail.com> wrote: > First of all, it is good to consider what the CRIME attack actually is. > Generally, if we have a block of header data that contains a mix of static > sensitive data (such as a session cookie) and attacker-provided dynamic > data, the attacker can repeatedly analyze the size of the compressed block > of data using different dynamic data values until the sensitive data is > successfully reverse-engineered. I'm not sure that this is the best characterization of the problem. CRIME relies on there being state established by previous requests that can be exposed by altering requests and observing how that affects the size of requests (or responses). The specific attack in question used cookies because they are both easy and high-value. As Roberto notes, knowing what is and isn't sensitive is near-impossible. Of course, using this definition you could say that it is still possible to use the delta-encoding to mount a similar attack, except for the fact that it is grossly inefficient to do so because the space you have to search to interrogate the space is much larger ... to the point that the attack would be no better than a straight guessing game. --Martin
Received on Thursday, 17 January 2013 00:55:37 UTC