Re: [Bug 53219] mod_ssl should allow to disable ssl compression
On Monday 08 October 2012, Roy T. Fielding wrote: On Oct 7, 2012, at 6:05 PM, Eric Covener wrote: Any opinions on the default change? AIUI current maintenance of browsers have disabled TLS compression already, because they can be driven to generate arbitrary traffic that eventually reveals httpOnly session cookies. Just disable it completely -- adaptive compression of headers is inherently incompatible with the goals of TLS. Is it? I think the main problem is the broken security model of web browsers. There are many scenarios where compression does not hurt, e.g. with non-browser clients that do not allow chosen plaintext attacks, or if authentication is done by client certificate and not by header. Therefore, I would prefer leaving the option available. But defaulting to off makes sense. Cheers, Stefan
Fwd: [Bug 53219] mod_ssl should allow to disable ssl compression
Any opinions on the default change? AIUI current maintenance of browsers have disabled TLS compression already, because they can be driven to generate arbitrary traffic that eventually reveals httpOnly session cookies. -- Forwarded message -- From: bugzi...@apache.org Date: Sun, Oct 7, 2012 at 8:55 PM Subject: [Bug 53219] mod_ssl should allow to disable ssl compression To: b...@httpd.apache.org https://issues.apache.org/bugzilla/show_bug.cgi?id=53219 --- Comment #10 from Christoph Anton Mitterer cales...@scientia.net --- Hi. It's good to see this backported... However,... I'm a bit concerned... As far as I understood,... _ALL_ versions of SSL/TLS are vulnerable to the CRIME attack, right? So why is compression not forcefully disabled? Not with respect to speed (as originally intended by Björn) but to security. If newer versions of TLS should fix the attack one could allow them to select whether compression should be used or not. Ideas? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org -- Eric Covener cove...@gmail.com
Re: [Bug 53219] mod_ssl should allow to disable ssl compression
On Oct 7, 2012, at 6:05 PM, Eric Covener wrote: Any opinions on the default change? AIUI current maintenance of browsers have disabled TLS compression already, because they can be driven to generate arbitrary traffic that eventually reveals httpOnly session cookies. Just disable it completely -- adaptive compression of headers is inherently incompatible with the goals of TLS. Roy
