[google-appengine] Re: BREACH attack - is App Engine vulnerable?
I'm with the person from Iron Mountain... Just like CRIME, they both seem to require some kind of XSS vulnerability in the page, then take advantage of TLS and GZIP. As long as your users don't use a lot of suspicious add-ons and you prevent XSS as best as you can, I really don't think there's much risk. Not that the compression + encryption combination don't need fixed, but you not only need help from Google to mitigate it on AppEngine by supporting an updated standard, but all of your users will have to use an updated web browser, too. -- You received this message because you are subscribed to the Google Groups Google App Engine group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To post to this group, send email to google-appengine@googlegroups.com. Visit this group at http://groups.google.com/group/google-appengine. For more options, visit https://groups.google.com/groups/opt_out.
[google-appengine] Re: BREACH attack - is App Engine vulnerable?
I'm not from Google, but this seems a little to slick of a presentation. They already have a glossy website with a custom domain name, complete with bios on the authors. Just because it's associated with BlackHat doesn't mean it's a class 1 emergency. Reading up on the details shows that it's a pretty slim window of attack. But I'm just a skeptic, not an expert. I'd love to hear from the security specialists at Google on this. -- You received this message because you are subscribed to the Google Groups Google App Engine group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To post to this group, send email to google-appengine@googlegroups.com. Visit this group at http://groups.google.com/group/google-appengine. For more options, visit https://groups.google.com/groups/opt_out.
