as earlier mentioned chrome is the only browser that supports compression on SSL streams
Martin ______________________________________________ Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. > Date: Thu, 8 Aug 2013 17:47:36 -0400 > Subject: Re: Tomcat config question: 'compression' versus > 'SSLDisableCompression' > From: dlan...@gmail.com > To: users@tomcat.apache.org > > On Thu, Aug 8, 2013 at 5:19 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > > > > ... and the SSLDisableCompression setting (when set to "false") is > > intended to mitigate the CRIME attack against SSL/TLS compression. > > Feel free to read online all about the CRIME attack. > > > > That was what I was hoping it did when I asked the original question :) > > > > I haven't really done any analysis of SSL compression (that is, > > compression as implemented by the TLS/SSL layer) alone versus > > compression-less-SSL + gzip, but I suspect that any combination of > > compression and encryption can lead to CRIME-like attacks ... > > > That seems to be true since there is now the BREACH attack: > > http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/ > > which (I think) is compression-less-SSL + gzip.
