carl....@gmail.com
unread,Mar 22, 2015, 6:50:52 PM3/22/15Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Sign in to report message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to securi...@chromium.org
Many attacks on SSL/TLS depend on sending a large volume of requests to a target site. BEAST, Lucky 13, RC4 weaknesses, etc. Others, like CRIME/BREACH and POODLE, are more compact, but still require hundreds of requests per byte, and there are simple CRIME mitigations that can push it up to thousands.
As a generalised countermeasure against these and similar future attacks, how feasible would it be for Chromium to apply rate-limiting when a page tries to send an unreasonably-large number of requests in a small timeframe? Eg if a page tries to send more than 200 cross-site requests within the same minute, then start applying a 10-second delay between requests.
Exact algorithm/parameters subject to discussion and experimentation, of course, but how feasible is the general idea?