[OWASP_PHPSEC] HTTPS Security

rahul chaudhary rahul300chaudhary400 at gmail.com
Sat Aug 3 18:12:33 UTC 2013


I understand the meaning of the attack. But what I dont understand is this:
deflation algo will store "abcd" if there are repetitions found and will
replace those repetitions with a pointer.

Similarly it will store "johndoe at example.com" and replace other occurrences
with a pointer. But please note that the algo stores the whole email
address and not individual characters. So, when the attacker sends "
e at example.com", the deflation algo will not have stored this string. Hence
the response must still be big.

The only way this attack should work if the attacker can guess the whole
email address.


On Fri, Aug 2, 2013 at 8:51 AM, Abbas Naderi <abiusx at owasp.org> wrote:

> a new attack has been proposed in BlackHat, regarding HTTPS, which uses
> oracles:
>
> http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/
>
> This further proves my point that HTTPS connections have to be
> concatenated with random garbage, to prevent many types of attacks.
> We need a core library that does this with HTTPS, via a shutdown function.
> Thanks
> -Abbas
>
> ______________________________________________________________
> *Notice:** *This message is *digitally signed*, its *source* and *
> integrity* are verifiable.
> If you mail client does not support S/MIME verification, it will display a
> file (smime.p7s), which includes the X.509 certificate and the signature
> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
> AbiusX.com
>
>
> _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>
>


-- 
Regards,
Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130803/4f79a7eb/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list