httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: [users] Re: Recommended practice for mitigating BREACH/CRIME attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
Date Fri, 06 Jun 2014 15:16:07 GMT
On Fri, Jun 6, 2014 at 10:21 AM, Tom Browder <tom.browder@gmail.com> wrote:

> On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder <tom.browder@gmail.com> wrote:
> > I have several SSL/TLS-only virtual sites running under Apache 2.4.7.
> > I haven't turned on compression because of all the warnings about
> > CRIME and BREACH.  However, when I run my sites against web site
> > analyzers they always suggest turning on compression.
> >
> > So what is the consensus?
>
> Ping!  Anyone?
>

I think the free "OpenSSL cookbook" part of Ivan Ristić's guide addresses
some of your question.  There's also an Apache-specific chapter of the big
book which I haven't looked at.

See
http://blog.ivanristic.com/2014/05/bulletproof-update-may-deployment-and-performance.html


>
> -Tom
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


-- 
Born in Roswell... married an alien...
http://emptyhammock.com/
http://edjective.org/

Mime
View raw message