lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 11 Apr 2013 19:16:58 +0200
From: Jan Wrobel <wrr@...edbit.org>
To: Michal Zalewski <lcamtuf@...edump.cx>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Exploiting sibling domains cookie isolation
 policy to DoS CDN users

On Thu, Apr 11, 2013 at 6:32 PM, Michal Zalewski <lcamtuf@...edump.cx> wrote:
> This is fairly well-known, I think; for example, there's a mention of this
> here (search for appspot.com):
>
> http://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-design.html

Yes, the idea of such DoS  technique is not new, but I've never seen
it discussed in a context of CDNs. The impact of the attack against
blogging platform is limited compared to the impact of the attack
against a popular CDN that many sites depend on. Yet, blogspot.com is
on the Public Suffix List, but no CDNs are there (excluding Amazon's
that was recently added). And CDNs are much easier to protect than
applications like Blogger, you don't need to redesign authentication
mechanism, the suffix domain is already cookieless. So I think it is
worth writing about the issue to encourage more CDN providers to add
their domains to the PSL.

BTW. I've added a link to your post.

Thanks,
Jan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists