On 26/02/18 19:57, jtb wrote: > markt wrote >> On 08/02/18 20:15, Pierre Chiu wrote: >> >> Add compression="on" to the UpgradeProtocol >> >> Mark >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: > >> users-unsubscribe@.apache > >> For additional commands, e-mail: > >> users-help@.apache > > > Is this configuration safe given the BREACH vulnerability? Or is that > mitigated in Tomcat 9?
It depends on how it is used. BREACH has three requirements for a successful attack. Compression is just one of them. If one or both of the others does not apply, then the compression can be safely used. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org