[users] Re: Recommended practice for mitigating BREACH/CRIME attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder tom.brow...@gmail.com wrote: I have several SSL/TLS-only virtual sites running under Apache 2.4.7. I haven't turned on compression because of all the warnings about CRIME and BREACH. However, when I run my sites against web site analyzers they always suggest turning on compression. So what is the consensus? Ping! Anyone? -Tom - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users] Re: Recommended practice for mitigating BREACH/CRIME attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
On Fri, 2014-06-06 at 09:21 -0500, Tom Browder wrote: On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder tom.brow...@gmail.com wrote: I have several SSL/TLS-only virtual sites running under Apache 2.4.7. I haven't turned on compression because of all the warnings about CRIME and BREACH. However, when I run my sites against web site analyzers they always suggest turning on compression. So what is the consensus? Ping! Anyone? -Tom sorry I have no idea. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users] Re: Recommended practice for mitigating BREACH/CRIME attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
On Fri, Jun 6, 2014 at 10:21 AM, Tom Browder tom.brow...@gmail.com wrote: On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder tom.brow...@gmail.com wrote: I have several SSL/TLS-only virtual sites running under Apache 2.4.7. I haven't turned on compression because of all the warnings about CRIME and BREACH. However, when I run my sites against web site analyzers they always suggest turning on compression. So what is the consensus? Ping! Anyone? I think the free OpenSSL cookbook part of Ivan Ristić's guide addresses some of your question. There's also an Apache-specific chapter of the big book which I haven't looked at. See http://blog.ivanristic.com/2014/05/bulletproof-update-may-deployment-and-performance.html -Tom - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -- Born in Roswell... married an alien... http://emptyhammock.com/ http://edjective.org/
Re: [users] Re: Recommended practice for mitigating BREACH/CRIME attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
On Fri, Jun 6, 2014 at 10:16 AM, Jeff Trawick traw...@gmail.com wrote: On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder tom.brow...@gmail.com wrote: I have several SSL/TLS-only virtual sites running under Apache 2.4.7. I haven't turned on compression because of all the warnings about CRIME and BREACH. However, when I run my sites against web site analyzers they always suggest turning on compression. So what is the consensus? ... I think the free OpenSSL cookbook part of Ivan Ristić's guide addresses some of your question. There's also an Apache-specific chapter of the big book which I haven't looked at. Thanks, Jeff--I forgot about Ivan's book! Best regards, -Tom - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users] Re: Recommended practice for mitigating BREACH/CRIME attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
On Fri, Jun 6, 2014 at 10:35 AM, Tom Browder tom.brow...@gmail.com wrote: On Fri, Jun 6, 2014 at 10:16 AM, Jeff Trawick traw...@gmail.com wrote: On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder tom.brow...@gmail.com wrote: I have several SSL/TLS-only virtual sites running under Apache 2.4.7. I haven't turned on compression because of all the warnings about CRIME and BREACH. However, when I run my sites against web site analyzers they always suggest turning on compression. So what is the consensus? ... I think the free OpenSSL cookbook part of Ivan Ristić's guide addresses some of your question. There's also an Apache-specific chapter of the big book which I haven't looked at. Thanks, Jeff--I forgot about Ivan's book! Actually, I also forgot about the Qualys site altogether! And I think this is the answer: https://community.qualys.com/message/20404#20404 Note also the site has a wonderful (and free) SSL/TLS checker I have use a lot in the past: https://www.ssllabs.com/ssltest/ Best, -Tom - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users] Re: Recommended practice for mitigating BREACH/CRIME attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
On Fri, Jun 06, 2014 at 09:21:20AM -0500, Tom Browder wrote: On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder tom.brow...@gmail.com wrote: I have several SSL/TLS-only virtual sites running under Apache 2.4.7. I haven't turned on compression because of all the warnings about CRIME and BREACH. However, when I run my sites against web site analyzers they always suggest turning on compression. So what is the consensus? Ping! Anyone? The site that seems authoritative for testing SSL is https://www.ssllabs.com/ssltest/ -- David Benfell benf...@parts-unknown.org See https://parts-unknown.org/node/2 if you don't understand the attachment. pgpBQIAAdUWuE.pgp Description: PGP signature