[openstack-dev] [Horizon][Security] BREACH/CRIME Attack Information

Clark, Robert Graham robert.clark at hp.com
Wed Aug 7 14:07:44 UTC 2013

My understanding of such attacks is that they require a
point-of-presence within the browser to perform the injection which in
turn enables the side channel. As clients/users won't be interacting
with the API using a browser I'm not 100% convinced that we need to
worry about defending against BREACH/CRIME on the API endpoints but that
*Horizon is a valid concern*.

I've not checked but I doubt the API endpoints use transport
compression, meaning that even if a user were to attempt to interact
with an endpoint directly using a compromised browser the attack would
not succeed. 

> -----Original Message-----
> From: Robert Collins [mailto:robertc at robertcollins.net]
> Sent: 07 August 2013 10:21
> To: OpenStack Development Mailing List
> Subject: Re: [openstack-dev] [Horizon][Security] BREACH/CRIME Attack
> Information
> On 7 August 2013 20:30, Thierry Carrez <thierry at openstack.org> wrote:
> > Gabriel Hurley wrote:
> >> Many of you have probably heard about the "BREACH" attack/security
> vulnerability in HTTPS traffic that was disclosed recently, and I'd
like to take
> a moment to provide some info about how that affects Horizon. I'm not
> following the official vulnerability management process because 1. The
> vulnerability is already disclosed publicly, 2. Workaround information
> already been published by Django and many others, and 3. There's no
> off code fix on our end so awareness is the best possible thing.
> >
> > Agree that there is nothing to patch in our code at this point and
> > therefore no base for an OpenStack Security Advisory (OSSA). The
> > information you provided would still make a great OpenStack Security
> > Note (OSSN), though. Those are issued by the OpenStack Security
> > I CC-ed Rob Clark so that he puts it on his radar.
> Note that our API services are likely a rich target too - when running
> SSL it should be fairly straight forward to get minor changes to the
> from keystone (e.g. with repeated token calls - but I don't know the
API well
> enough to speculate in detail).
> -Rob
> --
> Robert Collins <rbtcollins at hp.com>
> Distinguished Technologist
> HP Converged Cloud
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6187 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130807/75dff1f3/attachment.bin>

More information about the OpenStack-dev mailing list