On Monday 08 October 2012, Roy T. Fielding wrote:
> On Oct 7, 2012, at 6:05 PM, Eric Covener wrote:
> > Any opinions on the default change? AIUI current maintenance of
> > browsers have disabled TLS compression already, because they can
> > be driven to generate arbitrary traffic that eventually reveals
> > httpOnly session cookies.
>
> Just disable it completely -- adaptive compression of headers is
> inherently incompatible with the goals of TLS.
Is it? I think the main problem is the broken security model of web
browsers. There are many scenarios where compression does not hurt,
e.g. with non-browser clients that do not allow chosen plaintext
attacks, or if authentication is done by client certificate and not by
header.
Therefore, I would prefer leaving the option available. But defaulting
to off makes sense.
Cheers,
Stefan
|