Bug#689936: apache2: handling the CRIME attack
Christoph Anton Mitterer
calestyo at scientia.net
Mon Oct 8 00:51:40 UTC 2012
Source: root-system
Severity: important
Tags: security
Hi folks,
AFAICS, Debian’s Apache2.2 is still vulnerable to CRIME.
Well, AFAIK, CRIME is thought to be fixed on the browser sides, by them
simply not using compression with TLS.
While this helps in many cases, IMHO it's not enough and I'd rather have
a way to force the server to secure things (just as it is, AFAIK, done
with the BEAST attack).
A feature to disable compression for mod_ssl has been backported to
2.2.x:
https://issues.apache.org/bugzilla/show_bug.cgi?id=53219
Can we cherry-pick this?
And perhaps enable it per default in mod_ssl's config.
Cheers,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5450 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/debian-science-maintainers/attachments/20121008/e1a3fd7d/attachment.bin>
More information about the debian-science-maintainers
mailing list