I'm with the person from Iron Mountain... Just like CRIME, they both seem to require some kind of XSS vulnerability in the page, then take advantage of TLS and GZIP. As long as your users don't use a lot of suspicious add-ons and you prevent XSS as best as you can, I really don't think there's much risk.
Not that the compression + encryption combination don't need fixed, but you not only need help from Google to mitigate it on AppEngine by supporting an updated standard, but all of your users will have to use an updated web browser, too. -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To post to this group, send email to google-appengine@googlegroups.com. Visit this group at http://groups.google.com/group/google-appengine. For more options, visit https://groups.google.com/groups/opt_out.
