Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B1E3C11D55 for ; Fri, 6 Jun 2014 15:36:19 +0000 (UTC) Received: (qmail 33954 invoked by uid 500); 6 Jun 2014 15:36:16 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 33920 invoked by uid 500); 6 Jun 2014 15:36:16 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 33908 invoked by uid 99); 6 Jun 2014 15:36:16 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Jun 2014 15:36:16 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of tom.browder@gmail.com designates 209.85.212.182 as permitted sender) Received: from [209.85.212.182] (HELO mail-wi0-f182.google.com) (209.85.212.182) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Jun 2014 15:36:11 +0000 Received: by mail-wi0-f182.google.com with SMTP id r20so1219979wiv.15 for ; Fri, 06 Jun 2014 08:35:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type:content-transfer-encoding; bh=yBz7nRCnEYq73H700LCPFyqNPzcRUlSoxkr1ImXSys8=; b=yFg8RXiPxQax9ne2ql++mecmPVj+Yj3wPA3bYzCxkwFU4qFpT+kx3PeIN7ndxPhtfj oqKy8IiUMhpIYLNQ58Xak86vuNjuNcD+MnhdkWqN8EO5D+SO8PD744ZXX3yFNMD2QHJ/ N33GFQRc0n4xNzm3kHazpyapjy8S5wFoXUNujNZM8LJ4dCt5cyzlIxADX/8kT5sB/NGD hj381Ee2/AIxnnsk+FT9dcNK+HoC2CIpueHfD+iCdrmULF9jIdd7MBPABGM9cZcTwbws 94COP0Er71tEyUTQbTSVrwIOglCFp0dL6+6J4wyht5I/s5bEEP5MciS6IuRf5rzFJhVL +i7g== X-Received: by 10.180.88.129 with SMTP id bg1mr8970043wib.51.1402068950347; Fri, 06 Jun 2014 08:35:50 -0700 (PDT) MIME-Version: 1.0 Received: by 10.216.248.197 with HTTP; Fri, 6 Jun 2014 08:35:09 -0700 (PDT) In-Reply-To: References: From: Tom Browder Date: Fri, 6 Jun 2014 10:35:09 -0500 Message-ID: To: users@httpd.apache.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users] Re: Recommended practice for mitigating BREACH/CRIME attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate? On Fri, Jun 6, 2014 at 10:16 AM, Jeff Trawick wrote: >> On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder wrot= e: >> > I have several SSL/TLS-only virtual sites running under Apache 2.4.7. >> > I haven't turned on compression because of all the warnings about >> > CRIME and BREACH. However, when I run my sites against web site >> > analyzers they always suggest turning on compression. >> > >> > So what is the consensus? ... > I think the free "OpenSSL cookbook" part of Ivan Risti=C4=87's guide addr= esses > some of your question. There's also an Apache-specific chapter of the bi= g > book which I haven't looked at. Thanks, Jeff--I forgot about Ivan's book! Best regards, -Tom --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org