--- Comment #4 from Craig <> ---
CRIME is a vulnerability that applies to TLS compression - I'm not suggesting
here that TLS compression be used (it was actually removed in TLS 1.3). So I
don't believe CRIME is relevant.

BREACH is relevant... There are mitigations (such as SameSite cookies), but
there's no guarantee that applications running Tomcat have implemented them. So
I see your point :)

Roes Tomcat have any mitigations for BREACH in place today? It seems Tomcat
doesn't do any kind of random response padding (such as with empty response
chunks or randomly sized response chunking).

You are receiving this mail because:
You are the assignee for the bug.
To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to