[openstack-dev] [Horizon][Security] BREACH/CRIME Attack Information

Robert Collins robertc at robertcollins.net
Wed Aug 7 23:32:55 UTC 2013

On 8 August 2013 02:07, Clark, Robert Graham <robert.clark at hp.com> wrote:
> My understanding of such attacks is that they require a
> point-of-presence within the browser to perform the injection which in
> turn enables the side channel. As clients/users won't be interacting
> with the API using a browser I'm not 100% convinced that we need to
> worry about defending against BREACH/CRIME on the API endpoints but that
> *Horizon is a valid concern*.

They need a means to trigger repeated *responses* with slightly
differing payloads. One way to trigger that would be code that asks
for the same thing thousands of times : which btw a lot of our
infrastructure does :(.

> I've not checked but I doubt the API endpoints use transport
> compression, meaning that even if a user were to attempt to interact
> with an endpoint directly using a compromised browser the attack would
> not succeed.

Any compression that leaks sufficient size data in a side channel will
do AIUI, whether it's entity compression, header compression or
transport compression.


Robert Collins <rbtcollins at hp.com>
Distinguished Technologist
HP Converged Cloud

More information about the OpenStack-dev mailing list