I have seen random workarounds at the app level as well, where the app adds a ra... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		lnanek2 on Aug 6, 2013 \| parent \| context \| favorite \| on: Security advisory: Breach and Django I have seen random workarounds at the app level as well, where the app adds a random length HTML comment on the end of the page. But if random can be statistically removed, then they shouldn't add a random amount. Maybe just track the max size of the returned response and always add enough to reach that max size. Therefore the lengths of all the pages will always be the same. This is still better than turning off compression completely. A typical max for a detail page in an app might just be the size of the page plus 256 bytes per app output field.

pquerna on Aug 6, 2013 [–]

You can basically add as many or as few bytes as you like, by abusing the chunk-extension in chunked encoding:

http://tools.ietf.org/html/rfc2616#section-3.6.1

So you could make all http responses round into 128 byte chunks, by appending 1 to 128 bytes at the end of every response.

Effectively it gives you length hiding at an http layer; Still attackable.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact