Http: added HTTP header with random length to complicate BREACH attack#1379
Http: added HTTP header with random length to complicate BREACH attack#1379fabik wants to merge 1 commit intonette:masterfrom
Conversation
|
Corresponding Symfony issue for reference symfony/symfony#8682 |
Nette/Http/Response.php
Outdated
There was a problem hiding this comment.
Because it does not only apply to IE and pages with error status code, but to all browsers and all status codes.
There was a problem hiding this comment.
Majkl means someone could want disable the breach protection but enable the IE fix. I don't think it's necessary to have both though. According to the comment above it only applies to IE6, I think we can drop support for such old version.
There was a problem hiding this comment.
But it's not possible to turn off the protection, because the variable Response::$preventBreachAttack is private. It just prevents sending of the invisible garbage more than once.
There was a problem hiding this comment.
Not really @enumag. I understand IE, I was asking about status codes only. :) But yes, explicit disabling might be good in some cases.
|
Just for the record, this approach might kill some HTTP caches on the way, for the two guys out there still caring about them. Is also listed as a second least effective mitigation (out of 7), just sayin' Also, even the guys themselves say that "Unfortunately, we are unaware of a clean, effective, practical solution to the problem.", so making this a default might not be as great idea as it might seem. My 2 cents. |
|
This is of course not intended for „prevent BREACH attack“ just for „complicate“. Subject is incorrect. And I don't like it much, better should be send HTTP header with random length. |
|
That's correct, length hiding makes the attack just take longer:
|
|
I rewrited it, so it just sends a header of a random length and on HTTPS only. That should be good, shouldn't it? |
|
Better is str_repeat. And length should not be random for the same requests. |
991ba1a to
e23de7a
Compare
|
With HTTP compression HTTP headers are not compressed, only the HTTP body is. So adding header data does not prevent BREACH. This PR is nonsense and should be closed. |
489cca2 to
0b969cd
Compare
09a7d92 to
b9698a8
Compare
5a8c108 to
3aa3147
Compare
5feee0e to
3fc1e40
Compare
688f189 to
1bc9d13
Compare
7215ae6 to
71b2047
Compare
Here's a nice demonstration of BREACH attack: http://resources.infosecinstitute.com/the-breach-attack/