Talk:CRIME

White paper
Is the white paper published yet? I can't find it in the Ekoparty website or on Juliano's twitter feed. — Preceding unsigned comment added by 94.66.52.86 (talk) 00:42, 25 September 2012 (UTC)

Derivatives relevant?
I added the paragraph about BREACH as an advancement of CRIME, as relevant. User:Thompor took issue with that and deleted the lot with the terse edit summary "improved", which was later reverted. What do others think about mentioning derivatives of CRIME? --Lexein (talk) 07:49, 18 September 2013 (UTC)

Removed para
CRIME may also be defeated on the client side by placing restrictions on cross-site requests, known as cross-site request forgery (CSRF) protection. The "CsFire" extension for Mozilla Firefox strips authentication and cookies from cross-site requests, while the "RequestPolicy" extension completely blocks cross-site requests by default. However, these extensions interfere with the normal operation of many websites, so the user must set up and maintain whitelists of unrestricted requests.


 * 1) CRIME is generic (and different) attack, this only helps with BREACH.
 * 2) It mitigates the attack, doesn't defeat it. The strength of the attack is in controlling (or knowing) the downloaded cleartext, not necessarily in the method used
 * 3) "BREACH is a category of vulnerabilities"
 * 4) it requires that the attacked system "Reflect a secret (such as a CSRF token) in HTTP response bodies" i.e. CSRF is only one secret type that can be revealed.

All the best: Rich Farmbrough, 21:21, 15 June 2015 (UTC).

Move discussion in progress
There is a move discussion in progress on Talk:BREACH (security exploit) which affects this page. Please participate on that page and not in this talk page section. Thank you. —RMCD bot 23:33, 4 March 2017 (UTC)