<div dir="ltr"><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">CRIME has been superseeded by BREACH, and it is in no way related to any specific Web server, but to the more general concepts of TLS-encrypted (gzip-?)compressed HTTP content (SPDY is fine).<br><br></div><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">On the following website you will get all the details as well as a cheat-sheet list of ideas to mitigate it. Disabling gzip compression when encrypting HTTP content is one idea.<br><a href="http://breachattack.com/">http://breachattack.com/</a><br></div><div class="gmail_extra"><br><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">The baseline is: nginx in itself has nothing to do with it.</div><div><div class="gmail_signature"><font size="1"><span style="color:rgb(102,102,102)">---<br></span><b><span style="color:rgb(102,102,102)">B. R.</span></b><span style="color:rgb(102,102,102)"></span></font></div></div>
<br><div class="gmail_quote">On Mon, Jul 27, 2015 at 5:24 PM, Robert Krüger <span dir="ltr"><<a href="mailto:krueger@lesspain.de" target="_blank">krueger@lesspain.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br clear="all"><div>Hi,</div><div><br></div><div>I am working in a project where a password-protected extranet application is behind an nginx proxy using ssl.</div><div><br></div><div>Now I asked the admin to enable server-side http-compression because we tend to have rather lengthy json responses from our REST api and they compress very well and the performance gain would be significant. He decline doing that, explaining that because of the CRIME vulnerability, it is not a good idea to enable compression when using ssl with nginx. Is this really always the case? Are there scenarios where the vulnerability is not a problem? I am trying to understand this better to make an informed decision because not using compression (encryption is a must) would incur other costs (optimizations in the code) and I don't just want to waste that time and money unless I have to.</div><div><br></div><div>Thanks in advance,</div><div><br></div><div>Robert</div>
</div>
<br>_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br></blockquote></div><br></div></div>