On 06/06/2016 08:35 AM, Matthias Kuhn wrote: > Hi > > I think it is enabled on both sides, at least that's what measurements > indicate. My previous assumptions that it's not enabled were based on > Richards statement about the size of 1MB. > > @Alex, we are already using https by default, do you have any chance to > verify if we are affected by the mentioned security flaw? > > Matthias >
We might be ok because there's no authentication cookies in the plugin lookup, at least for our Public repo. For those entities running private authenticated repos this could be an issue. https://en.wikipedia.org/wiki/BREACH_%28security_exploit%29 https://en.wikipedia.org/wiki/CRIME https://blog.qualys.com/ssllabs/2013/08/07/defending-against-the-breach-attack -Alex _______________________________________________ Qgis-developer mailing list Qgis-developer@lists.osgeo.org List info: http://lists.osgeo.org/mailman/listinfo/qgis-developer Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-developer
