On Sun, Oct 27, 2013 at 06:25:49PM -0400, Michael Gilbert wrote: > package: openssl > severity: important > version: 0.9.8o-1 > tag: security > > Hi, > > This is the CVE for the CRIME issue. Redhat and Ubuntu have corrected > this in openssl by disabling zlib compression by default. Please see: > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4929
I'm not sure what to do with this. As far as I understand this, this is only a problem if the client side can somehow automate an attack. There are basicly 4 places that can fix this: - The library the client program is using - The client program itself - The library the server is using - The server itself But there is also a problem of using compression not at the SSL level but at the HTTP level (BREACH) which can only be fixed in the client and server, not in the libraries. So at least the client and server need to get changed anyway. You can of course use SSL without HTTP, but I think it's a lot harder in those cases to get the a client to automate many connection attempts. So I'm wondering if I should just disable compression support completly or not. Redhat seems to make it conditional on an evironment variable. I have to wonder if there is still a good use case for having compression support at the SSL level. If applications think it's safe to have compression support they can do it at the application layer. Kurt -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

