On Monday 08 October 2012, Roy T. Fielding wrote: > On Oct 7, 2012, at 6:05 PM, Eric Covener wrote: > > Any opinions on the default change? AIUI current maintenance of > > browsers have disabled TLS compression already, because they can > > be driven to generate arbitrary traffic that eventually reveals > > httpOnly session cookies. > > Just disable it completely -- adaptive compression of headers is > inherently incompatible with the goals of TLS.
Is it? I think the main problem is the broken security model of web browsers. There are many scenarios where compression does not hurt, e.g. with non-browser clients that do not allow chosen plaintext attacks, or if authentication is done by client certificate and not by header. Therefore, I would prefer leaving the option available. But defaulting to off makes sense. Cheers, Stefan
