undefined | Better HN

0 pointsspand9y ago0 comments

No that is not all an attacker could know. TLS does not provide confidentiality of the number of bytes transmitted. So in your example an attacker would only have to crawl the public website and find the pages matching in size to the ones you have been browsing.

0 comments

mi100hael9y ago

There are web server modules that will append random-length comments to the end of a page's HTML in order to foil this kind of attack

https://github.com/nulab/nginx-length-hiding-filter-module

paulddraper9y ago

Cookies, user-agent header, and keep-alives will make that very hard to figure out.

rplst89y ago

Couldn't this be thwarted by injecting random bytes into each page served to vary the file sizes?

cmdrfred9y ago

Good point I hadn't considered that.

j / k navigate · click thread line to collapse