Re: [websec] CRIME II alleged at Black Hat
Hannes Tschofenig <hannes.tschofenig@gmx.net> Tue, 02 July 2013 14:38 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D8F821F9EE1 for <websec@ietfa.amsl.com>; Tue, 2 Jul 2013 07:38:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.359
X-Spam-Level:
X-Spam-Status: No, score=-101.359 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SARE_LWSHORTT=1.24, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5JOGwhie6XKO for <websec@ietfa.amsl.com>; Tue, 2 Jul 2013 07:38:54 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) by ietfa.amsl.com (Postfix) with ESMTP id 4140821F9EEE for <websec@ietf.org>; Tue, 2 Jul 2013 07:38:54 -0700 (PDT)
Received: from mailout-de.gmx.net ([10.1.76.27]) by mrigmx.server.lan (mrigmx002) with ESMTP (Nemesis) id 0MN7F0-1Urqvl1nYW-006eX3 for <websec@ietf.org>; Tue, 02 Jul 2013 16:38:53 +0200
Received: (qmail invoked by alias); 02 Jul 2013 14:38:53 -0000
Received: from 80-248-243-11.cust.suomicom.fi (EHLO [192.168.1.37]) [80.248.243.11] by mail.gmx.net (mp027) with SMTP; 02 Jul 2013 16:38:53 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1+PQtd4wI+PLjunm8Cod1jUAtF+8e5uRLlY/BQkRk 2M9yqeHURrr+oV
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: text/plain; charset="us-ascii"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <CAMm+LwgzQNLJWMZtH8S+KsvtfMjNutWcEKVROA38hz3Te4Yt2Q@mail.gmail.com>
Date: Tue, 02 Jul 2013 17:38:51 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <C9C72FA4-71E3-4BA0-9752-60D129F436D5@gmx.net>
References: <CAMm+LwgzQNLJWMZtH8S+KsvtfMjNutWcEKVROA38hz3Te4Yt2Q@mail.gmail.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
X-Pgp-Agent: GPGMail 1.4.1
X-Mailer: Apple Mail (2.1085)
X-Y-GMX-Trusted: 0
Cc: websec <websec@ietf.org>
Subject: Re: [websec] CRIME II alleged at Black Hat
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jul 2013 14:38:58 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 [I posted this mail also the CA Browser Forum list but it is read-only for non-members only. So, I post it here.] Hi Phil, I am always a bit reluctant when I hear about these types of attacks. In many cases, they are very basic and make various assumptions. In the OAuth working group we had looked into various attacks and many of them turned out to be an implementation flaw: someone tried to make some short-cuts and then had to pay the price for it. The most recent example was Facebook earlier this year. So, I am looking forward to see the details of this attack. If you know the speakers maybe it is possible to get in touch with them upfront. Just saying move away from bearer tokens is certainly simplistic for a number of reasons. Ciao Hannes On Jul 2, 2013, at 4:52 PM, Phillip Hallam-Baker wrote: > http://www.darkreading.com/vulnerability/https-side-channel-attack-a-tool-for-enc/240157583 > > We do not have the details yet. But it seems like this will be yet another variant of the 'in the browser' adaptive plaintext attack against SSL enabling cookie stealing. > > There are two problems we need to fix: > > 1) Whatever the latest SSL issue is. > > 2) Stop using bearer tokens for authentication. > > > I anticipated this attack (it is the third time round after all) which is why I wrote the session ID scheme as a drop in replacement for cookies. In the short term sites would have to support both schemes as a transitional measure but given the current transition to HTML5 it is entirely likely that some sites can force a transition sooner. > > http://www.ietf.org/id/draft-hallambaker-httpsession-01.txt > > > -- > Website: http://hallambaker.com/ > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBCgAGBQJR0uX7AAoJEGhJURNOOiAtn2kH/1EVIvEm07+TG0BHqYuRuuzz 9JsWp4CdECuH3H4Zj+B3a5wrY6XsUxxmTaceC94S82YuV0jy/8wS8vBeeIuF2PU/ FUwTFDoJ8zVdRtPNNRsbLTwc7n/Jg8Hz477wb4CXllfgcqci4ADuihJW6WkaiqNX l/4h0mqIfFOeQ3q7km5BZuZrrD/UbxM4r231tJRxhJL5QKyH8I3e63gtUlBMwW0g nONH3NdoCGoXLiQT9E6YAzCzFQBbb1+UsJbkQ+N8kW+2GtOVdf5caxX6EtuThYuW 68MGKhDbFQZk1dSwLvxzX6sgak020h7o6DJJDlBJLG/jlPlF3KESYmV6LXSaIRo= =RS6A -----END PGP SIGNATURE-----
- [websec] CRIME II alleged at Black Hat Phillip Hallam-Baker
- Re: [websec] CRIME II alleged at Black Hat Tom Ritter
- Re: [websec] CRIME II alleged at Black Hat Hannes Tschofenig