quote:"When you're designing security protocols, you can implement cryptography properly, but you cannot always provide perfect confidentiality. When you mix a lot of protocols into the stack, there might be other layers in the stack that might be overly permissive, and then you might be able to compromise the entire trust relationship."
...or as I like to say "if it can be made by human hands, it can be broken by human hands"
quote:At the show, Prado and Harris will demonstrate an attack on a major enterprise application that will be able to uncover encrypted secrets in 30 seconds. They'll also be releasing a proof-of-concept tool that will allow users to test how the attack works against a sample page.
... so anyone know if they did release this or not?
They aren't announcing the details or releasing the PoC tool until Blackhat. I saw the demo of the tool. It is scary fast and not difficult to execute. It is definitely not script kiddie material but anyone with basic understanding of web apps can piece it together quite easily. -- Scott, CCIE #14618 Routing & Switching »rolande.wordpress.com/
Just as a heads up, this attack is being presented at Blackhat tomorrow afternoon. Any of you who have or work for companies that have HTTP page compression enabled for dynamic pages being delivered by SSL, might want to rethink that option after tomorrow. Disabling page compression is about the only real feasible mitigation option in the short term. All other options would likely require some considerable application modification.
It did, which is why most browser had the functionality previously disabled by default. However, this vulnerability/attack is about server side page compression and not tunnel compression. -- Scott, CCIE #14618 Routing & Switching »rolande.wordpress.com/