- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Thu, 11 Jul 2013 16:32:57 -0700
- To: Roberto Peon <grmocg@gmail.com>
- Cc: Sam Pullara <spullara@gmail.com>, James M Snell <jasnell@gmail.com>, Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
On 11 July 2013 15:56, Roberto Peon <grmocg@gmail.com> wrote: > Thusfar, the feedback we're received from security experts indicates that it > is comparable to an attack without the compression (i.e. requires > exponential time w.r.t. the size of the plaintext, or comparable to forcing > the use of a brute-force attack). There are, of course, limitations on this. If a particular header is small, it becomes easier to guess. If you were to say, spread a bearer token into small pieces across multiple headers, then you would open yourself up to a CRIME-like attack. That said, the value that an attacker can gain is fairly marginal, and there are ways to mitigate this. The security considerations will, ultimately, expand on these sorts of caveats as our knowledge improves.
Received on Thursday, 11 July 2013 23:33:24 UTC