Source: root-system Severity: important Tags: security Hi folks,
AFAICS, Debian’s Apache2.2 is still vulnerable to CRIME. Well, AFAIK, CRIME is thought to be fixed on the browser sides, by them simply not using compression with TLS. While this helps in many cases, IMHO it's not enough and I'd rather have a way to force the server to secure things (just as it is, AFAIK, done with the BEAST attack). A feature to disable compression for mod_ssl has been backported to 2.2.x: https://issues.apache.org/bugzilla/show_bug.cgi?id=53219 Can we cherry-pick this? And perhaps enable it per default in mod_ssl's config. Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
