[Cialug] Webserver mitigation against BREACH
Zachary Kotlarek
zach at kotlarek.com
Tue Aug 6 14:43:08 CDT 2013
On Aug 6, 2013, at 12:37 PM, Nicolai <nicolai-cialug at chocolatine.org> wrote:
> On Tue, Aug 06, 2013 at 02:12:23PM -0500, Paul Gray wrote:
>> On 08/06/2013 02:00 PM, Nicolai wrote:
>>> What are the related options in Apache? Other webservers?
>>
>> Turn off the deflate module in Apache2.
>
> Is it possible to restrict this change to an <IfDefine SSL> in
> httpd.conf, or otherwise to SSL/TLS sessions? I ask because some people
> serve http and https from the same Apache instance, and it would be
> unfortunate to disable compression system-wide when the attack only
> concerns SSL/TLS. I don't have an Apache2 instance to test.
Yes. You can set flags to enable/disable compression inside any scope directive (e.g. <Directory>, <Location>, <VirtualServer>, .htaccess).
http://httpd.apache.org/docs/2.2/mod/mod_deflate.html
Zach
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2746 bytes
Desc: not available
URL: <http://cialug.org/pipermail/cialug/attachments/20130806/2e0debc8/attachment.bin>
More information about the Cialug
mailing list