Compression is often considered an essential tool when reducing the bandwidth usage of internet services. The impact that the use of such compression schemes can have on security, however, has often been overlooked. The recently detailed CRIME, BREACH, TIME and HEIST attacks on TLS have shown that if an attacker can make requests on behalf of a user then secret information can be extracted from encrypted messages using only the length of the response. Deciding whether an element of a web-page should be secret often depends on the content of the page, however there are some common elements of web-pages which should always remain secret such as Cross-Site Request Forgery (CSRF) tokens. Such tokens are used to ensure that malicious webpages cannot forge requests from a user by enforcing that any request must contain a secret token included in a previous response.
I worked at Cloudflare last summer to investigate possible solutions to this problem. The result is a project called cf-nocompress. The aim of this project was to develop a tool which automatically mitigates instances of the attack, in particular CSRF extraction, on Cloudflare hosted services transparently without significantly impacting the effectiveness of compression. We have published a proof-of-concept implementation on GitHub, and provide a challenge site and tool which demonstrates the attack in action).More info
I began a PhD with the Information Security Group (ISG) at Royal Holloway in September 2015 as part of the Cyber Security CDT. The CDT is set to take 4 years to complete during which I will be exposed to a wide variety of topics relating to the security of computing devices such as static and dynamic program analysis, cryptography, and network security.More info
IG is the world-leading provider of contracts for difference (CFDs) and financial spread betting, and the UK's largest forex provider.
I joined IG as a graduate developer in 2014. Over my first year there I will be working in several teams in the company, taking on a variety of different software development roles.
Throughout 2013 and 2014 I was part of a small agile development team which was tasked with creating a program capable of giving historical information on walks through the Magna Carta site in preparation for the 800 year anniversary of its signing.
The project required the development of a visual editor, a web frontend, an Android and iPhone application and a server backend. All of the application front ends and the editor interacted with a server which enabled us to easily create and display a large database of information about the site in a formatted way.
The server also allowed the entire database to be dumped in JSON, which allowed for offline viewing of the walks, an important feature as the Magna Carta site had limited wireless data coverage.More info
© Blake Loring 2018