-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 David,
On 8/8/13 5:47 PM, David Landis wrote: > On Thu, Aug 8, 2013 at 5:19 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> >> ... and the SSLDisableCompression setting (when set to "false") >> is intended to mitigate the CRIME attack against SSL/TLS >> compression. Feel free to read online all about the CRIME >> attack. >> > > That was what I was hoping it did when I asked the original > question :) > > >> I haven't really done any analysis of SSL compression (that is, >> compression as implemented by the TLS/SSL layer) alone versus >> compression-less-SSL + gzip, but I suspect that any combination >> of compression and encryption can lead to CRIME-like attacks ... > > > That seems to be true since there is now the BREACH attack: > > http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/ > > which (I think) is compression-less-SSL + gzip. It is compression + deflate as explained in the article, but gzip basically works the same way (LZ77 + Huffman). It's too bad it took a researcher a year to figure out that compression of any kind makes encryption (where the attacker can force random probing attacks) weak. It's not like SSL+compression and SSL-compression+compression is that different. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSBOWnAAoJEBzwKT+lPKRYuMoP/0cFjaVbiLs+Qw3QQS/z/A0p mq/5QTNhsUqSsRmhnjAThGSBZPCpXB9We9ecTqV1moxR9iG94x/oya/3yToYmJ1r Msat1HB97YRotPxyWCweZ2nllTPshlkyTnhojcD18csnA0pAfn/LzqimRXFelX2f Vnkgoygb6qL5f6fIMpVVWrjzn1BsAGQxjNQwJtteimLC1GE7sYOarQ4MuqMrQzM2 /5tqOpJQnVgZRL+IdqNLHpYWGx8FhonV6KDXlVTAkl6LOgTWpVlWNrHzq8/wFpxO 3XssLKcO2oHm2mGvD8c6ivRwvVjvZlQd1VapamJpIxGl+ezlbyLwPx0USiIUrcNO m6uyO1I9Zq9Vw63VMwbatYqA3nTqNwKhdaMl3H7jj4KJDxVyr/0RUNIuUu4+yECZ XLUpSucIluDL90BrXfvYaSf8yCbkRBhk5fW9IgzDOOgXFlQNsYdb5RGtFxksIb24 irmiv4naxNKqBdyvVPDvib7hXwAAX4K8xhYitv7gakpCS7JPZrWA7hFl5YCdt7H7 pnCGLXTiyMpTRhQ7WNDm7sCFLD1YL67axRHBm1nMSbxOBwR3CiZ5UINOlqyj3Wp7 ZDZQNkdF0NBK9XL5J4fyapXDGYX+N6y0ikK1bR24qncrPuVq6RNkpJ04UlWWENq9 wzgcOoLG/iO4WpuAcoJC =iH73 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
