/plushcap/analysis/cloudflare/a-solution-to-compression-oracles-on-the-web

A Solution to Compression Oracles on the Web

What's this blog post about?

Blake Loring, a PhD student at Royal Holloway, University of London, discusses how web compression schemes can be exploited by attackers to extract secret information from encrypted messages using only the length of the response. This has led to attacks such as CRIME, BREACH, TIME and HEIST on TLS. To mitigate this issue, Loring worked at Cloudflare last summer on a project called cf-nocompress, which aims to develop a tool that automatically mitigates instances of these attacks without significantly impacting the effectiveness of compression. The solution involves selective compression, compressing only non-secret parts of a page, and using regular expressions to identify secrets within a response. A proof-of-concept implementation is available on GitHub.

Company
Cloudflare

Date published
March 27, 2018

Author(s)
Guest Author

Word count
1000

Language
English

Hacker News points
24


By Matt Makai. 2021-2024.