How to turn off gzip compression for SSL traffic

B.R. reallfqq-nginx at
Mon Aug 19 05:56:18 UTC 2013

On Mon, Aug 19, 2013 at 12:41 AM, Igor Sysoev <igor at> wrote:

> These are different vulnerabilities: SSL compression is subject to
> CRIME vulnerability while HTTP/SSL compression is subject to BREACH
> vulnerability.


CRIME attacks a vulnerability in the implementation of SSLv3 and TLS1.0​
using CBC flaw: the IV was guessable. Hte other vulnerability was a
facilitator to inject automatically ​arbitrary content (so attackers could
inject what they wish to make their trail-and-error attack).
CRIME conclusion is: use TLS v1.1 or later (not greater than v1.2 for now).

BREACH attacks the fact that compressed HTTP content encrypted with SSL
makes it easy to guess a known existing header field from the request that
is repeated in the (encrypted) answer looking at the size of the body.
BEAST conclusion is: don't use HTTP compression underneath SSL encryption.
*B. R.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list