程式設計 /z/programming

yllan 積分 0

不過因為 CRIME / BREACH 漏洞,不是建議說 dynamic response w/ secret 最好不要壓縮嗎?

回應
這是文章的子討論串,你可以回到上層查看所有討論和文章

IngramChen 積分 1

那是 tls compression 吧?

gzip 沒事啊

回應

yllan 積分 1
BREACH1

While CRIME was mitigated by disabling TLS/SPDY compression (and by modifying gzip to allow for explicit separation of compression contexts in SPDY), BREACH attacks HTTP responses. It is important to note that the attack is agnostic to the version of TLS/SSL, and does not require TLS-layer compression. Additionally, the attack works against any cipher suite.

不過仔細看了一下,他的條件是 HTTP body 裡要有 secret 和 user generated data,所以一般沒滿足條件的 JSON 的確沒事。

1
http://breachattack.com
回應