You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Tom Browder <to...@gmail.com> on 2014/06/03 22:52:47 UTC
[users] Recommended practice for mitigating BREACH/CRIME attacks with Apache
2.4+, SSL/TLS-only sites, and use of mod_deflate?
I have several SSL/TLS-only virtual sites running under Apache 2.4.7.
I haven't turned on compression because of all the warnings about
CRIME and BREACH. However, when I run my sites against web site
analyzers they always suggest turning on compression.
So what is the consensus?
If compression is recommended, does the server cache the compressed
files served so that compression is not needed every time? Is there
any advantage (assuming it is possible) in compressing the static
files served?
Thanks.
Best regards,
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users] Re: Recommended practice for mitigating BREACH/CRIME
attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
Posted by cain dickens <ca...@gmail.com>.
On Fri, 2014-06-06 at 09:21 -0500, Tom Browder wrote:
> On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder <to...@gmail.com> wrote:
> > I have several SSL/TLS-only virtual sites running under Apache 2.4.7.
> > I haven't turned on compression because of all the warnings about
> > CRIME and BREACH. However, when I run my sites against web site
> > analyzers they always suggest turning on compression.
> >
> > So what is the consensus?
>
> Ping! Anyone?
>
> -Tom
>
sorry I have no idea.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users] Re: Recommended practice for mitigating BREACH/CRIME
attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
Posted by David Benfell <be...@parts-unknown.org>.
On Fri, Jun 06, 2014 at 09:21:20AM -0500, Tom Browder wrote:
> On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder <to...@gmail.com> wrote:
> > I have several SSL/TLS-only virtual sites running under Apache 2.4.7.
> > I haven't turned on compression because of all the warnings about
> > CRIME and BREACH. However, when I run my sites against web site
> > analyzers they always suggest turning on compression.
> >
> > So what is the consensus?
>
> Ping! Anyone?
>
The site that seems authoritative for testing SSL is
https://www.ssllabs.com/ssltest/
--
David Benfell <be...@parts-unknown.org>
See https://parts-unknown.org/node/2 if you don't understand the
attachment.
Re: [users] Re: Recommended practice for mitigating BREACH/CRIME
attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
Posted by Tom Browder <to...@gmail.com>.
On Fri, Jun 6, 2014 at 10:35 AM, Tom Browder <to...@gmail.com> wrote:
> On Fri, Jun 6, 2014 at 10:16 AM, Jeff Trawick <tr...@gmail.com> wrote:
>>> On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder <to...@gmail.com> wrote:
>>> > I have several SSL/TLS-only virtual sites running under Apache 2.4.7.
>>> > I haven't turned on compression because of all the warnings about
>>> > CRIME and BREACH. However, when I run my sites against web site
>>> > analyzers they always suggest turning on compression.
>>> >
>>> > So what is the consensus?
> ...
>> I think the free "OpenSSL cookbook" part of Ivan Ristić's guide addresses
>> some of your question. There's also an Apache-specific chapter of the big
>> book which I haven't looked at.
> Thanks, Jeff--I forgot about Ivan's book!
Actually, I also forgot about the Qualys site altogether!
And I think this is the answer:
https://community.qualys.com/message/20404#20404
Note also the site has a wonderful (and free) SSL/TLS checker I have
use a lot in the past:
https://www.ssllabs.com/ssltest/
Best,
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users] Re: Recommended practice for mitigating BREACH/CRIME
attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
Posted by Tom Browder <to...@gmail.com>.
On Fri, Jun 6, 2014 at 10:16 AM, Jeff Trawick <tr...@gmail.com> wrote:
>> On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder <to...@gmail.com> wrote:
>> > I have several SSL/TLS-only virtual sites running under Apache 2.4.7.
>> > I haven't turned on compression because of all the warnings about
>> > CRIME and BREACH. However, when I run my sites against web site
>> > analyzers they always suggest turning on compression.
>> >
>> > So what is the consensus?
...
> I think the free "OpenSSL cookbook" part of Ivan Ristić's guide addresses
> some of your question. There's also an Apache-specific chapter of the big
> book which I haven't looked at.
Thanks, Jeff--I forgot about Ivan's book!
Best regards,
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users] Re: Recommended practice for mitigating BREACH/CRIME
attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
Posted by Jeff Trawick <tr...@gmail.com>.
On Fri, Jun 6, 2014 at 10:21 AM, Tom Browder <to...@gmail.com> wrote:
> On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder <to...@gmail.com> wrote:
> > I have several SSL/TLS-only virtual sites running under Apache 2.4.7.
> > I haven't turned on compression because of all the warnings about
> > CRIME and BREACH. However, when I run my sites against web site
> > analyzers they always suggest turning on compression.
> >
> > So what is the consensus?
>
> Ping! Anyone?
>
I think the free "OpenSSL cookbook" part of Ivan Ristić's guide addresses
some of your question. There's also an Apache-specific chapter of the big
book which I haven't looked at.
See
http://blog.ivanristic.com/2014/05/bulletproof-update-may-deployment-and-performance.html
>
> -Tom
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Born in Roswell... married an alien...
http://emptyhammock.com/
http://edjective.org/
[users] Re: Recommended practice for mitigating BREACH/CRIME attacks with
Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?
Posted by Tom Browder <to...@gmail.com>.
On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder <to...@gmail.com> wrote:
> I have several SSL/TLS-only virtual sites running under Apache 2.4.7.
> I haven't turned on compression because of all the warnings about
> CRIME and BREACH. However, when I run my sites against web site
> analyzers they always suggest turning on compression.
>
> So what is the consensus?
Ping! Anyone?
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org