Y
Hacker News
new
|
ask
|
show
|
jobs
by
veesahni
4695 days ago
I'm in the same boat - if the attacker could inject strings into requests pre-compression, then wouldn't the client already be compromised?
1 comments
rlucas
4695 days ago
No, you're missing that the original GET requests can be performed in some cases over HTTP, either by forgery or by surreptitiously spoofing the user's own browser into doing it. No need to have compromised the SSL/TLS.
link