Recently, I read a paper which describes an attack on http response protocol.The attack is called CRIME or CRIME Extensions. It exploits TLS compression algorithm. It checks the total payload of http response after injecting some word into response message. As compression algorithm(DEFLATE in TLS) replaces same word into shoter length, the attacker can check if injected word is same with secret information in html response message.
What I want to know is that Do html files have secret information? For Example, in major websites such as google or facebook,
After TLS handshake, a client send a http request like "send me my personal page", and server send a http responses which have very private information?
Aucun commentaire:
Enregistrer un commentaire