Suggestion for proactive security: rate limiting (cross-post from chromium-discuss)
16 views
Skip to first unread message
carl....@gmail.com
Mar 22, 2015, 6:50:52 PM3/22/15
to securi...@chromium.org
Many attacks on SSL/TLS depend on sending a large volume of requests to a target site. BEAST, Lucky 13, RC4 weaknesses, etc. Others, like CRIME/BREACH and POODLE, are more compact, but still require hundreds of requests per byte, and there are simple CRIME mitigations that can push it up to thousands.
As a generalised countermeasure against these and similar future attacks, how feasible would it be for Chromium to apply rate-limiting when a page tries to send an unreasonably-large number of requests in a small timeframe? Eg if a page tries to send more than 200 cross-site requests within the same minute, then start applying a 10-second delay between requests.
Exact algorithm/parameters subject to discussion and experimentation, of course, but how feasible is the general idea?
As a generalised countermeasure against these and similar future attacks, how feasible would it be for Chromium to apply rate-limiting when a page tries to send an unreasonably-large number of requests in a small timeframe? Eg if a page tries to send more than 200 cross-site requests within the same minute, then start applying a 10-second delay between requests.
Exact algorithm/parameters subject to discussion and experimentation, of course, but how feasible is the general idea?
Adrienne Porter Felt
Mar 22, 2015, 6:51:47 PM3/22/15
to carl....@gmail.com, security-dev, Ben Wells
+benwells
Ryan Sleevi
Mar 22, 2015, 10:57:53 PM3/22/15
to Adrienne Porter Felt, benw...@chromium.org, security-dev, carl....@gmail.com
+net-dev on BCC; to continue the discussion, security-dev is the place to be.
Reply all
Reply to author
Forward
0 new messages