Re: HTTP router point-of-view concerns

On 11 July 2013 15:56, Roberto Peon <grmocg@gmail.com> wrote:
> Thusfar, the feedback we're received from security experts indicates that it
> is comparable to an attack without the compression (i.e. requires
> exponential time w.r.t. the size of the plaintext, or comparable to forcing
> the use of a brute-force attack).

There are, of course, limitations on this.  If a particular header is
small, it becomes easier to guess.  If you were to say, spread a
bearer token into small pieces across multiple headers, then you would
open yourself up to a CRIME-like attack.

That said, the value that an attacker can gain is fairly marginal, and
there are ways to mitigate this.

The security considerations will, ultimately, expand on these sorts of
caveats as our knowledge improves.

Received on Thursday, 11 July 2013 23:33:24 UTC