httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: [Bug 53219] mod_ssl should allow to disable ssl compression
Date Mon, 08 Oct 2012 14:48:40 GMT
On Monday 08 October 2012, Roy T. Fielding wrote:
> On Oct 7, 2012, at 6:05 PM, Eric Covener wrote:
> > Any opinions on the default change?  AIUI current maintenance of
> > browsers have disabled TLS compression already, because they can
> > be driven to generate arbitrary traffic that eventually reveals
> > httpOnly session cookies.
> 
> Just disable it completely -- adaptive compression of headers is
> inherently incompatible with the goals of TLS.

Is it? I think the main problem is the broken security model of web 
browsers. There are many scenarios where compression does not hurt, 
e.g. with non-browser clients that do not allow chosen plaintext 
attacks, or if authentication is done by client certificate and not by 
header.

Therefore, I would prefer leaving the option available. But defaulting 
to off makes sense.

Cheers,
Stefan

Mime
View raw message