On Fri, Apr 3, 2015 at 3:53 PM, Salz, Rich <rsalz at akamai.com> wrote:
> I am thinking about removing compression and would like to know what the
> community thinks.
>
What the community thinks does not matter.
If your threat model includes recovery via compression through
protocols like TLS, HTTPS and SPDY, then you have to disable it. Or if
you have a "defensive" security posture, then you should disable it.
You can disable it in TLS by configuring OpenSSL with no-comp:
./configure no-ssl2 no-ssl3 no-com --prefix=/usr/local
For what its worth, I've been disabling compression since the attacks
surfaced. I've never had a problem.
Jeff
