[Cialug] Webserver mitigation against BREACH
Nicolai
nicolai-cialug at chocolatine.org
Tue Aug 6 14:37:32 CDT 2013
On Tue, Aug 06, 2013 at 02:12:23PM -0500, Paul Gray wrote:
> On 08/06/2013 02:00 PM, Nicolai wrote:
> > What are the related options in Apache? Other webservers?
>
> Turn off the deflate module in Apache2.
Is it possible to restrict this change to an <IfDefine SSL> in
httpd.conf, or otherwise to SSL/TLS sessions? I ask because some people
serve http and https from the same Apache instance, and it would be
unfortunate to disable compression system-wide when the attack only
concerns SSL/TLS. I don't have an Apache2 instance to test.
Nicolai
More information about the Cialug
mailing list