| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CACm05o87PRq+Jk8BCj=pLboZ-F78xtt5uVz4if5km5FdrjhStg@mail.gmail.com> Date: Thu, 11 Apr 2013 19:16:58 +0200 From: Jan Wrobel <wrr@...edbit.org> To: Michal Zalewski <lcamtuf@...edump.cx> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Exploiting sibling domains cookie isolation policy to DoS CDN users On Thu, Apr 11, 2013 at 6:32 PM, Michal Zalewski <lcamtuf@...edump.cx> wrote: > This is fairly well-known, I think; for example, there's a mention of this > here (search for appspot.com): > > http://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-design.html Yes, the idea of such DoS technique is not new, but I've never seen it discussed in a context of CDNs. The impact of the attack against blogging platform is limited compared to the impact of the attack against a popular CDN that many sites depend on. Yet, blogspot.com is on the Public Suffix List, but no CDNs are there (excluding Amazon's that was recently added). And CDNs are much easier to protect than applications like Blogger, you don't need to redesign authentication mechanism, the suffix domain is already cookieless. So I think it is worth writing about the issue to encourage more CDN providers to add their domains to the PSL. BTW. I've added a link to your post. Thanks, Jan _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists