httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Browder <tom.brow...@gmail.com>
Subject Re: [users] Re: Recommended practice for mitigating BREACH/CRIME attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
Date Fri, 06 Jun 2014 15:53:39 GMT
On Fri, Jun 6, 2014 at 10:35 AM, Tom Browder <tom.browder@gmail.com> wrote:
> On Fri, Jun 6, 2014 at 10:16 AM, Jeff Trawick <trawick@gmail.com> wrote:
>>> On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder <tom.browder@gmail.com> wrote:
>>> > I have several SSL/TLS-only virtual sites running under Apache 2.4.7.
>>> > I haven't turned on compression because of all the warnings about
>>> > CRIME and BREACH.  However, when I run my sites against web site
>>> > analyzers they always suggest turning on compression.
>>> >
>>> > So what is the consensus?
> ...
>> I think the free "OpenSSL cookbook" part of Ivan Ristić's guide addresses
>> some of your question.  There's also an Apache-specific chapter of the big
>> book which I haven't looked at.

> Thanks, Jeff--I forgot about Ivan's book!

Actually, I also forgot about the Qualys site altogether!

And I think this is the answer:

  https://community.qualys.com/message/20404#20404

Note also the site has a wonderful (and free) SSL/TLS checker I have
use a lot in the past:

  https://www.ssllabs.com/ssltest/

Best,

-Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message