You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Tom Browder <to...@gmail.com> on 2014/06/06 16:21:20 UTC
[users] Re: Recommended practice for mitigating BREACH/CRIME attacks with
Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder <to...@gmail.com> wrote:
> I have several SSL/TLS-only virtual sites running under Apache 2.4.7.
> I haven't turned on compression because of all the warnings about
> CRIME and BREACH. However, when I run my sites against web site
> analyzers they always suggest turning on compression.
>
> So what is the consensus?
Ping! Anyone?
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users] Re: Recommended practice for mitigating BREACH/CRIME
attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
Posted by cain dickens <ca...@gmail.com>.
On Fri, 2014-06-06 at 09:21 -0500, Tom Browder wrote:
> On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder <to...@gmail.com> wrote:
> > I have several SSL/TLS-only virtual sites running under Apache 2.4.7.
> > I haven't turned on compression because of all the warnings about
> > CRIME and BREACH. However, when I run my sites against web site
> > analyzers they always suggest turning on compression.
> >
> > So what is the consensus?
>
> Ping! Anyone?
>
> -Tom
>
sorry I have no idea.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users] Re: Recommended practice for mitigating BREACH/CRIME
attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
Posted by David Benfell <be...@parts-unknown.org>.
On Fri, Jun 06, 2014 at 09:21:20AM -0500, Tom Browder wrote:
> On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder <to...@gmail.com> wrote:
> > I have several SSL/TLS-only virtual sites running under Apache 2.4.7.
> > I haven't turned on compression because of all the warnings about
> > CRIME and BREACH. However, when I run my sites against web site
> > analyzers they always suggest turning on compression.
> >
> > So what is the consensus?
>
> Ping! Anyone?
>
The site that seems authoritative for testing SSL is
https://www.ssllabs.com/ssltest/
--
David Benfell <be...@parts-unknown.org>
See https://parts-unknown.org/node/2 if you don't understand the
attachment.
Re: [users] Re: Recommended practice for mitigating BREACH/CRIME
attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
Posted by Tom Browder <to...@gmail.com>.
On Fri, Jun 6, 2014 at 10:35 AM, Tom Browder <to...@gmail.com> wrote:
> On Fri, Jun 6, 2014 at 10:16 AM, Jeff Trawick <tr...@gmail.com> wrote:
>>> On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder <to...@gmail.com> wrote:
>>> > I have several SSL/TLS-only virtual sites running under Apache 2.4.7.
>>> > I haven't turned on compression because of all the warnings about
>>> > CRIME and BREACH. However, when I run my sites against web site
>>> > analyzers they always suggest turning on compression.
>>> >
>>> > So what is the consensus?
> ...
>> I think the free "OpenSSL cookbook" part of Ivan Ristić's guide addresses
>> some of your question. There's also an Apache-specific chapter of the big
>> book which I haven't looked at.
> Thanks, Jeff--I forgot about Ivan's book!
Actually, I also forgot about the Qualys site altogether!
And I think this is the answer:
https://community.qualys.com/message/20404#20404
Note also the site has a wonderful (and free) SSL/TLS checker I have
use a lot in the past:
https://www.ssllabs.com/ssltest/
Best,
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users] Re: Recommended practice for mitigating BREACH/CRIME
attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
Posted by Tom Browder <to...@gmail.com>.
On Fri, Jun 6, 2014 at 10:16 AM, Jeff Trawick <tr...@gmail.com> wrote:
>> On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder <to...@gmail.com> wrote:
>> > I have several SSL/TLS-only virtual sites running under Apache 2.4.7.
>> > I haven't turned on compression because of all the warnings about
>> > CRIME and BREACH. However, when I run my sites against web site
>> > analyzers they always suggest turning on compression.
>> >
>> > So what is the consensus?
...
> I think the free "OpenSSL cookbook" part of Ivan Ristić's guide addresses
> some of your question. There's also an Apache-specific chapter of the big
> book which I haven't looked at.
Thanks, Jeff--I forgot about Ivan's book!
Best regards,
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users] Re: Recommended practice for mitigating BREACH/CRIME
attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
Posted by Jeff Trawick <tr...@gmail.com>.
On Fri, Jun 6, 2014 at 10:21 AM, Tom Browder <to...@gmail.com> wrote:
> On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder <to...@gmail.com> wrote:
> > I have several SSL/TLS-only virtual sites running under Apache 2.4.7.
> > I haven't turned on compression because of all the warnings about
> > CRIME and BREACH. However, when I run my sites against web site
> > analyzers they always suggest turning on compression.
> >
> > So what is the consensus?
>
> Ping! Anyone?
>
I think the free "OpenSSL cookbook" part of Ivan Ristić's guide addresses
some of your question. There's also an Apache-specific chapter of the big
book which I haven't looked at.
See
http://blog.ivanristic.com/2014/05/bulletproof-update-may-deployment-and-performance.html
>
> -Tom
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Born in Roswell... married an alien...
http://emptyhammock.com/
http://edjective.org/