Comment 45 for bug 1068854
Revision history for this message
|
|
#45 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Hi Stefan.
1) Are you going to backport this into the Debian versions?
2) As long as there is no protocol level fix (or something like this), wouldn't it be better to generally and forcibly switch that off in the affected versions?
I mean if someone would really want it in spite of the attack,... he should probably be able to patch the code accordingly.
Otherwise people may just think that compression sounds like a good thing and "accidentally" enable it (which leads me to: (3)).
3) As far as I can see, the documentation of this directive does not refer to the CRIME attack.
Unless (2) was done (and thus people can't accidentally enable it) I'd strongly recommend adding information that switching compression on allows the CRIME attack and which versions of SSL/TLS/etc. are affected (unless all are).
Cheers,
Chris.