GZIP 压缩与 BREACH/CRIME 攻击有关的 HTTPS 流量安全问题? [英] GZIP compression on HTTPS traffic security issue with BREACH/CRIME attacK?
问题描述
例如,当我查看 https://www.facebook.com 的 HTTP 标头时,我看到他们使用 GZIP 压缩 Content-Encoding: gzip 和 SSL/TLS 流量.
For example when I have a look on the HTTP header of https://www.facebook.com I see that they utilize GZIP compression Content-Encoding: gzip with SSL/TLS traffic.
因为 BREACH/CRIME 攻击,这不是一个坏主意吗?
Isn't that a bad idea because of BREACH/CRIME attack?
curl -I -H 'Accept-Encoding: gzip,deflate' https://www.facebook.com
HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Strict-Transport-Security: max-age=15552000; preload
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Type: text/html
Date: Fri, 15 May 2015 18:56:11 GMT
Connection: keep-alive
Content-Length: 15101
根据 http://en.wikipedia.org/wiki/BREACH_%28security_exploit%29
推荐答案
BREACH 存在于 TLS 和 HTTP 压缩(即 gzip).但它也需要:
BREACH exists when you have TLS plus HTTP compression (ie gzip). But it also requires:
- 响应正文中有用的秘密信息
- 攻击者必须能够使用请求参数将值注入响应正文
- 无随机响应填充
评论:
黑客正在寻找信用卡号、密码、CSRF 令牌,并且可能不会与您的 GF 聊天,但您永远不知道.
Hackers are after credit card numbers, passwords, CSRF tokens, and probably not chats with your GF, but you never know.
看起来很多输入响应(例如顶部的搜索栏)都是带外的,即响应通过 AJAX 传输,因此不会影响其他响应.
It looks like a lot of the input responses (search bar at top, for example) are out-of-band, ie the response is over AJAX so doesn't affect other responses.
Facebook 可能会填充他们的回复,但我还没有深入研究.
Facebook might be padding their responses, but I haven't delved too deeply into that.
这篇关于GZIP 压缩与 BREACH/CRIME 攻击有关的 HTTPS 流量安全问题?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
