HTML/JavaScript compation for security
I just ran across this point that references a security vulnerability in Web Apps that depends on looking at the size of encrypted web pages to deduce what the uses is doing. The simplest solution to this I can think of would be to use a tool to minify all static content so that (after encryption) only a small number of result sizes exist so as to minimize the information available 开发者_高级运维to an eavesdropper.
Are there any tools for doing this?
The default thing to do a minification of static content would be to enable HTTP Compression. It would reduce the number of result sizes a bit.
But consider, that if you shrink the content to half the size, there will not necessarily be only half as many result sizes! This would only be the case, if your original content used all the possible sizes. Let's say, your original content offers 4 different sizes: 10kB, 12 kB and 14 kB
If your compression shrinks each of them to half size, you'll still end up with three different sizes: 5kB, 6kB and 7kB.
Note To make it clear (maybe it wasn't): This is rather an advice against using minification/compression. See also my comment.
No, I do not know of a tool to prevent this attack. The reason why is because this is a very limited attack that isn't common in the real world. Many crypto attacks are completely useless in the real world.
To prevent this attack the server can add random padding to the message. In the case of async-scripts you could add junk xml or json elements. In other cases you could add html or javascript comments. This is trivial to implement and I don't think this warrants a "tool".
Military networks do this to defend against this very attack by using a constant stream of data. I think its implemented ether on the transport or network layer. It would be tricky to pull that off on the application layer with http. Also, bandwidth is much less important than military secrets, where as this is probably not the case with your web app.
精彩评论