On 13 August 2013 at 8:47:04 PM, Ryan Schmidt (google-2...@ryandesign.com) wrote:
On Aug 13, 2013, at 07:16, Chris Wakare wrote: > During the 2013 Black Hat conference , researchers announced the BREACH > attack. As BREACH takes advantage of vulnerabilities when serving compressed > data over SSL/TLS, its been advised to disable compression of web responses. > > I see this holds true for nodejs applications as well as we by practice > always enable http compression. > > Do refer https://www.blackhat.com/us-13/briefings.html#Prado for more details I have not read the page you refer to (TL;DR) but surely the correct solution is to fix whatever vulnerabilities may exist in compression with SSL, rather than to disable it. Compression is highly desirable and widely advocated, for all the obvious reasons. It’s a systemic flaw in the way that compression interacts with encryption. The best ways to defeat it are to make your compression unpredictable to an order of magnitude that outstrips the ability to guess what the content is by how it’s compressed given enough tries. It’s hard to fix statistical attacks without letting the details leak into the layers above. In this case, adding random data in certain places in the stream is what’s needed — but that means altering the content, it’s not a simple transform that can be done at low layers. -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to nodejs@googlegroups.com To unsubscribe from this group, send email to nodejs+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
