[websec] CRIME II alleged at Black Hat
Phillip Hallam-Baker <hallam@gmail.com> Tue, 02 July 2013 13:52 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D16021F9E6C for <websec@ietfa.amsl.com>; Tue, 2 Jul 2013 06:52:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.05
X-Spam-Level:
X-Spam-Status: No, score=-1.05 tagged_above=-999 required=5 tests=[AWL=-1.550, BAYES_20=-0.74, HTML_MESSAGE=0.001, NO_RELAYS=-0.001, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iEI9ZNGOASUW for <websec@ietfa.amsl.com>; Tue, 2 Jul 2013 06:52:49 -0700 (PDT)
Received: from mail-lb0-x230.google.com (mail-lb0-x230.google.com [IPv6:2a00:1450:4010:c04::230]) by ietfa.amsl.com (Postfix) with ESMTP id 9875421F9E5F for <websec@ietf.org>; Tue, 2 Jul 2013 06:52:48 -0700 (PDT)
Received: by mail-lb0-f176.google.com with SMTP id z5so3391823lbh.35 for <websec@ietf.org>; Tue, 02 Jul 2013 06:52:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=wQswIOQPuyuL6nTF9g/qBg1Zo1I7dvMUT1ME9/HXO4E=; b=sVnRkwTW0HDJP2i1E/Sauu4dddiHwJoLqIfBqKLzsBiaVcEgUOrmA4tv2Tj0HfLICP nSfsS51hpb7G3ni5kukHql6hcroIDS6qzPesFFmQAVMeUO5i8tvk0Y0EHfcdEYXtsujK sb42yNDSq3IQsv0eaoT4NzB0cr4DnGraEHIWt2wyl3NIROBz7ub8c0qCJFgjyrbYoZWU oX5DXOf1tC1Jf4KNQDy5qSz/5BqezwPEnsgrSrMS/VCK2GuVhyCm6vEoAk7BNtnBVZ3W q4NJHELOXZ0y13FQ+ze2/cbzXR7IqUXICmDovTxeRMVLdVAWx8d+OarTjNNTYdVMSbx9 e+Qg==
MIME-Version: 1.0
X-Received: by 10.112.51.99 with SMTP id j3mr13725475lbo.82.1372773167458; Tue, 02 Jul 2013 06:52:47 -0700 (PDT)
Received: by 10.112.77.8 with HTTP; Tue, 2 Jul 2013 06:52:47 -0700 (PDT)
Date: Tue, 02 Jul 2013 09:52:47 -0400
Message-ID: <CAMm+LwgzQNLJWMZtH8S+KsvtfMjNutWcEKVROA38hz3Te4Yt2Q@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: websec <websec@ietf.org>
Content-Type: multipart/alternative; boundary="001a1133b7da0100db04e087a941"
Subject: [websec] CRIME II alleged at Black Hat
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jul 2013 13:52:49 -0000
http://www.darkreading.com/vulnerability/https-side-channel-attack-a-tool-for-enc/240157583 We do not have the details yet. But it seems like this will be yet another variant of the 'in the browser' adaptive plaintext attack against SSL enabling cookie stealing. There are two problems we need to fix: 1) Whatever the latest SSL issue is. 2) Stop using bearer tokens for authentication. I anticipated this attack (it is the third time round after all) which is why I wrote the session ID scheme as a drop in replacement for cookies. In the short term sites would have to support both schemes as a transitional measure but given the current transition to HTML5 it is entirely likely that some sites can force a transition sooner. http://www.ietf.org/id/draft-hallambaker-httpsession-01.txt -- Website: http://hallambaker.com/
- [websec] CRIME II alleged at Black Hat Phillip Hallam-Baker
- Re: [websec] CRIME II alleged at Black Hat Tom Ritter
- Re: [websec] CRIME II alleged at Black Hat Hannes Tschofenig