| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 11 Apr 2013 21:26:26 +0200 From: Jan Wrobel <wrr@...edbit.org> To: Jann Horn <jann@...jh.net> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Exploiting sibling domains cookie isolation policy to DoS CDN users On Thu, Apr 11, 2013 at 6:05 PM, Jann Horn <jann@...jh.net> wrote: > On Thu, Apr 11, 2013 at 05:01:57PM +0200, Jan Wrobel wrote: >> [...] > > CDNs could mitigate this by, instead of resetting connections with lots of headers, > just reading all the cookies and throwing them into the bit bucket instead of keeping > them in RAM, right? That way, there would still be the wasted bandwidth, but > combined with the Google approach, it should work fine, right? If the client sends too > many headers, just ignore everything until you reach \n\n, then send back the error > script? In my view a cookie reseting script is rather a last resort defense, not a reliable mechanism to dependent upon. Sites that include resources from a CDN rarely serve main or iframed HTML documents from the CDN origin and this is required for the reseting script to work. If such script was returned when a browser is expecting script, img, css or other non-html sub-resource, it would not work. Jan _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists