The latest stable Fx and Chrome, including mobile, will still work, right? What about various web services like rss readers or the google bot?
You would probably break your site for a lot of your users.
> The newest stable Fx and Chrome, including mobile, will still work, right?
I think so.
> What about various web services like rss readers
They should be fine.. unsure. I presume most web services use openssl.. and thanks to heartbleed they should be using latest openssl libraries.
> or the google bot
I doubt googlebot would have issues scraping you, but I dont think google would rank you well if they knew your site would be broken for significant chunk of users.
One idea would be to try to change the ciphertext so it would produce a entire padding block (and then it would be easy to test if it is indeed an entire block of padding just be tampering it without modifying the last byte and it would still be accepted).
I guess someone here could answer my question?
So what you do is generate an HTTP request that, taken together with the SSL MAC, will align on a block boundary. Then you're guaranteed to have one full block of padding.
It might sound difficult to pull this off with multiple unknowns (other cookies, user agent string, etc.), but in practice it would be easy. You could make sure things line up correctly just by incrementing your packet length by one byte at a time until you see the record size jump by a block.
