On Aug 19, 2013, at 9:56 , B.R. wrote: > On Mon, Aug 19, 2013 at 12:41 AM, Igor Sysoev <i...@sysoev.ru> wrote: > > These are different vulnerabilities: SSL compression is subject to > CRIME vulnerability while HTTP/SSL compression is subject to BREACH > vulnerability. > > Incorrect. > > CRIME attacks a vulnerability in the implementation of SSLv3 and TLS1.0 > using CBC flaw: the IV was guessable. Hte other vulnerability was a > facilitator to inject automatically arbitrary content (so attackers could > inject what they wish to make their trail-and-error attack). > CRIME conclusion is: use TLS v1.1 or later (not greater than v1.2 for now).
You probably mix up it with BEAST. > BREACH attacks the fact that compressed HTTP content encrypted with SSL makes > it easy to guess a known existing header field from the request that is > repeated in the (encrypted) answer looking at the size of the body. > BEAST conclusion is: don't use HTTP compression underneath SSL encryption. -- Igor Sysoev http://nginx.com/services.html
_______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx