-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Martin,
On 8/8/13 8:20 PM, Martin Gainty wrote: > as earlier mentioned > > chrome is the only browser that supports compression on SSL > streams Mozilla Firefox had implemented TLS+compression for SPDY requests, and thus was vulnerable. Since CRIME, both browsers have disabled compression for TLS. Disabling TLS compression whilst enabling gzip compression merely re-enables a similar attack that had been mitigated by disabling SSL compression in the first place. So, it doesn't matter what browser you use, since you can usually bet that the client supports gzip and/or deflate compression for Content-Encoding. (Well, you don't have to bet, since the client advertises that fact via Accept-Encoding). The point is that this is not something most people are safe from due to their browsers' inabilities. On the contrary: swapping TLS compression with "regular" compression has given this attack much wider applicability. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSBOeeAAoJEBzwKT+lPKRY4GEQAJb9odexFRiOncyPUJpoW/Cr yhQGyrDD606jcfhtv029BWw8RB2fRK0Efo03+0LJ8auGA9jPdD/u/aZYWBmzUcm6 w7fNR+zk288OjHpfU0PQ0c7ypK1vcEpVw57+f6aqMsdw/MaSlhQLX9ducsUZRzu2 TrHBlJPngu17HK9y5jg9i0YHJ6wMbvfD+8Dk17NoabthxgO3An9CNznp7IYSCyx2 9Y8dVT6d6W538JMgm+Ov+iAYwoZNslnKDo46bqHXbeuLo5VAn8wmisY+tW9QmbdP cVsl6I+E2WGKGt2TvWGYwODKDCyxgDkLXjFRp13vpkpFTmYsvLSbiajJsur/kO1H qcTq0ygdtoMe8waiB/eXbZx0aWVsfG90R7SaiUsznR3lTJfFPrDst3IuOJgafLIw t1KvU3p1AcbFhAXZG3Oo9Ltwm3rxYvNuGi4eD8Khq8JOiMk4P+hhQwN30jCno7X6 0bV/tbIlp1SfU3SNFjUESIG4GIJGNUIOVuW8Ga1s1/8HQhMVnjHDG6eapeW0OS1h srC3RKmPvWo0BEs4XmDanmssGqeOBZmhgO1SDGi/aY9Jl/NQVkBApzfdaJ1eDUB2 PfTzSOUz2SFEJy5nwkWR0y0S4hoN4i8sVgrqtUtmRZIzuqFr+SJlaIxfujzNWaxS 3X77ZRaLZXxUdEEV1HKR =44Ps -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
