Hacker News new | past | comments | ask | show | jobs | submit login

I was going through that article after you posted it... is BREACH still an exploit in the wild? Turning off compression altogether seems painful :/



Well, the exploit doesn't just go away.

Any context compressor could introduce the same hole if attacker-provided and sensitive data share contexts.

Specific countermeasures include salting your anti-CSRF tokens (so make sure they're not consistent but differ on every page load!).




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: