By the way – SSL & security

Those who looks at my webserver very carefully will probably notice that i have disabled any compression. The reason for this is the use of SSL for SPDY and this: http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/ plus this: https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls

SSL with compression has the risk that an attacker may decrypt the transferred data much easier. The only solution to this is to avoid any compression.

Just to make it clear: SPDY indeed builds on SSL – but the problem is SSL and the reduction of the transferred data by using compression. Without compression SSL and SPDY can be used safely.

Update 2012-10-31: Compressing the content is not that problematic, since the information which is interesting for an attacker, like session cookies, are transferred in the header which will not be compressed even with active compression of the content. Maybe you have to make sure, that the configuration of mod_ssl in Apache contains the option SSLCompression off. Therefore i decided to enable content compression again and just leave SSL compression disabled (also see the test at https://www.ssllabs.com/ssltest/analyze.html?d=arnowelzel.de).

Leave a Comment

Your email address will not be published. Required fields are marked *