On Oct 7, 2012, at 6:05 PM, Eric Covener wrote: > Any opinions on the default change? AIUI current maintenance of > browsers have disabled TLS compression already, because they can be > driven to generate arbitrary traffic that eventually reveals httpOnly > session cookies.
Just disable it completely -- adaptive compression of headers is inherently incompatible with the goals of TLS. ....Roy