Re: [users] Re: Recommended practice for mitigating BREACH/CRIME attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod

Re: [users] Re: Recommended practice for mitigating BREACH/CRIME attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?

Date Prev

Date Next

Thread Prev

Thread Next

Date Index

Thread Index

To: "users@xxxxxxxxxxxxxxxx" <users@xxxxxxxxxxxxxxxx>

Subject: Re: [users] Re: Recommended practice for mitigating BREACH/CRIME attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?

From: Jeff Trawick <trawick@xxxxxxxxx>

Date: Fri, 6 Jun 2014 11:16:07 -0400

In-reply-to: <CAFMGiz9q=q84fDVNoXTco6zHgbwbVocEwtAaee8=66gsN1PJJg@mail.gmail.com>

Reply-to: users@xxxxxxxxxxxxxxxx

On Fri, Jun 6, 2014 at 10:21 AM, Tom Browder <tom.browder@xxxxxxxxx> wrote:

On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder <tom.browder@xxxxxxxxx> wrote:
> I have several SSL/TLS-only virtual sites running under Apache 2.4.7.
> I haven't turned on compression because of all the warnings about
> CRIME and BREACH. However, when I run my sites against web site
> analyzers they always suggest turning on compression.
>
> So what is the consensus?

Ping! Anyone?

I think the free "OpenSSL cookbook" part of Ivan Ristić's guide addresses some of your question. There's also an Apache-specific chapter of the big book which I haven't looked at.

See http://blog.ivanristic.com/2014/05/bulletproof-update-may-deployment-and-performance.html

-Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

Born in Roswell... married an alien...
http://emptyhammock.com/

http://edjective.org/