httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@gbiv.com>
Subject Re: [Bug 53219] mod_ssl should allow to disable ssl compression
Date Mon, 08 Oct 2012 02:15:26 GMT
On Oct 7, 2012, at 6:05 PM, Eric Covener wrote:

> Any opinions on the default change?  AIUI current maintenance of
> browsers have disabled TLS compression already, because they can be
> driven to generate arbitrary traffic that eventually reveals httpOnly
> session cookies.

Just disable it completely -- adaptive compression of headers is
inherently incompatible with the goals of TLS.

....Roy


Mime
View raw message