[Twisted-Python] AutobahnPython 0.6.3 - WebSocket compression and more

Tobias Oberstein tobias.oberstein at tavendo.de
Sun Oct 6 04:51:32 MDT 2013


>If I get a chance, I'll try to apply the recent attacks by Rizzo et al. on TLS compression and the compressed stream over TLS equivalent by Prado et al., since I like >compression but I also send credentials over TLS :)

I guess you are referring to CRIME/BEAST, right?

I haven't had a deep look into those, but it seems they require plaintext injection.

In the context of WebSocket (using compression, and with transport over TLS), that would mean injecting WebSocket messages with chosen payload into the conversation between client and server.

What I don't get: unless at least one of the endpoints have been compromised, how are you going to inject? And if an endpoint has been compromised, one might as well just grab the unencrypted stuff right away.

What am I missing?

/Tobias



More information about the Twisted-Python mailing list