[cabfpub] SSL BEASTie boys develop follow-up 'CRIME' web attack

Phillip philliph at comodo.com
Tue Sep 11 08:07:06 MST 2012


Maybe what we need to do is to move aways from using cookies for security purposes. 

Rather than trying to fix a broken model we could add in a two part mechanism like the ticket scheme I have proposed for HTTP/2.0 that passes a reference to a shared secret by means of a ticket and a proof of knowledge of the secret that binds it to at least some part of the HTTP message (request line, content, headers).


On Sep 11, 2012, at 10:59 AM, Rob Stradling wrote:

> Some speculation.  Sounds plausible...
> 
> http://lists.randombit.net/pipermail/cryptography/2012-September/003191.html
> 
> On 11/09/12 02:18, Adam Langley wrote:
>> On Mon, Sep 10, 2012 at 2:04 PM, Phillip <philliph at comodo.com> wrote:
>>> Apropos which:
>>> 
>>> Since this is a Google employee speaking as a Google employee, perhaps Google could share the technical details of the attack with the forum?
>> 
>> CAs don't need to worry about this issue. I believe that all major,
>> affected parties have been contacted. If members here believe
>> otherwise, please let me know.
>> 
>> 
>> Cheers
>> 
>> AGL
>> 
> 
> -- 
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
> Office Tel: +44.(0)1274.730505
> Office Fax: +44.(0)1274.730909
> www.comodo.com
> 
> COMODO CA Limited, Registered in England No. 04058690
> Registered Office:
>  3rd Floor, 26 Office Village, Exchange Quay,
>  Trafford Road, Salford, Manchester M5 3EQ
> 
> This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.  If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by COMODO for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software.



More information about the Public mailing list