Reputation: 2279
Solution to BREACH vulnerability?
I just recently readed this doc http://www.kb.cert.org/vuls/id/987798 And my question is, why just don't add some random various length HTTP headers like
HTTP 200 OK
Cache-Control:public, max-age=60
Content-Encoding:gzip
Content-Length:11669
Content-Type:text/html; charset=utf-8
asdfnak4r9q38:asdbf2984rqf // Header with random name and random value with various length
And also we can add some random data in html head section.
Why am I wrong? And why this solution might not work?
Thanks
Upvotes: 0
Views: 209
Answers (1)
Reputation: 5547
Assuming that the length of your random headers is uniformly distributed, then you're just adding noise that increases the number of requests necessary to be sure of a guess without actually mitigating the attack.
If each guess is replayed enough times to even out the entropy introduced by your random length header, the correct guesses will still be, on average, shorter than the incorrect guesses.
As with the CRIME and TIME attacks, the fix is still to disable HTTP compression.
Upvotes: 1
Related Questions
- SSL security concern
- How to fix https certificate issue?
- An SSL/TLS Misunderstanding
- SSL/TLS HeartBleed vulnerability
- Securing with SSL?
- SSL and web security: request resubmission
- Not sure how to fix unsecured content over SSL
- How to prevent SSL urls from leaking info?
- Broken ssl, what to do
- Workaround for SSL bug