Thomas Ponin gives a thorough answer about an upcoming disclosure of a vulnerability in TLS that involves cookies in a TLS connection that is using compression (gzip and zip) and then submitting additional blank cookies with malicious Javascript code that hits the victims machine – the added cookies are all the same size due to compression except for the cookie containing the secret, which due to the compression algorithm gets compressed just a bit more. The secret can possibly be guessed by reconstructing it in this way.

Bottom line: Don’t login to your investment account on a public wifi and if you do, don’t leave it open for very long. Shouldn’t do that, anyway…

Update: ARS Technica put out an article about this today.

Advertisements