[Cialug] Webserver mitigation against BREACH
Nicolai
nicolai-cialug at chocolatine.org
Tue Aug 6 14:00:12 CDT 2013
Hello,
You may have read about the new BREACH [0] attack against HTTP-level
compression in SSL/TLS sessions. The fool-proof way to mitigate this
attack is to simply disable on-the-fly compression in SSL/TLS. In
nginx.conf you can do this under your ssl server section:
gzip off;
gzip_static on; # not necessary but can help retain performance
The first option disables compression done on the fly, including dynamic
content targeted by BREACH. The second option, gzip_static, pertains
only to pre-compressed, static files, which are not applicable to
BREACH, e.g.
gzip -c -9 index.html > index.html.gz # or...
zopfli index.html # better compression
What are the related options in Apache? Other webservers?
Nicolai
[0] http://breachattack.com/
More information about the Cialug
mailing list