lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CACm05o-Cahg8Wh=nsLS1AgoNMQ4Bae7oqD_wMh+u+37LmqtjaQ@mail.gmail.com>
Date: Thu, 11 Apr 2013 21:26:26 +0200
From: Jan Wrobel <wrr@...edbit.org>
To: Jann Horn <jann@...jh.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Exploiting sibling domains cookie isolation
 policy to DoS CDN users

On Thu, Apr 11, 2013 at 6:05 PM, Jann Horn <jann@...jh.net> wrote:
> On Thu, Apr 11, 2013 at 05:01:57PM +0200, Jan Wrobel wrote:
>> [...]
>
> CDNs could mitigate this by, instead of resetting connections with lots of headers,
> just reading all the cookies and throwing them into the bit bucket instead of keeping
> them in RAM, right? That way, there would still be the wasted bandwidth, but
> combined with the Google approach, it should work fine, right? If the client sends too
> many headers, just ignore everything until you reach \n\n, then send back the error
> script?

In my view a cookie reseting script is rather a last resort defense,
not a reliable mechanism to dependent upon. Sites that include
resources from a CDN rarely serve main or iframed HTML documents from
the CDN origin and this is required for the reseting script to work.
If such script was returned when a browser is expecting script, img,
css or other non-html sub-resource, it would not work.

Jan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ