On Thu, Aug 8, 2013 at 5:19 PM, Christopher Schultz < ch...@christopherschultz.net> wrote:
> > ... and the SSLDisableCompression setting (when set to "false") is > intended to mitigate the CRIME attack against SSL/TLS compression. > Feel free to read online all about the CRIME attack. > That was what I was hoping it did when I asked the original question :) > I haven't really done any analysis of SSL compression (that is, > compression as implemented by the TLS/SSL layer) alone versus > compression-less-SSL + gzip, but I suspect that any combination of > compression and encryption can lead to CRIME-like attacks ... That seems to be true since there is now the BREACH attack: http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/ which (I think) is compression-less-SSL + gzip.
