[Cialug] Webserver mitigation against BREACH
Michael Davis
mpdavis at iastate.edu
Tue Aug 6 14:14:44 CDT 2013
The most popular gzip module for Apache is mod_deflate. mod_gzip is also
used, but much less common. All you have to do is disable those modules.
In Debian types:
a2dismod mod_deflate
a2dismod mod_gzip
In RedHat types modify the conf files in /etc/httpd/conf.d/
Michael Davis
Software Engineering - Iowa State University
WebFilings Software Engineer Intern
IASG Treasurer
On Tue, Aug 6, 2013 at 2:00 PM, Nicolai <nicolai-cialug at chocolatine.org>wrote:
> Hello,
>
> You may have read about the new BREACH [0] attack against HTTP-level
> compression in SSL/TLS sessions. The fool-proof way to mitigate this
> attack is to simply disable on-the-fly compression in SSL/TLS. In
> nginx.conf you can do this under your ssl server section:
>
> gzip off;
> gzip_static on; # not necessary but can help retain performance
>
> The first option disables compression done on the fly, including dynamic
> content targeted by BREACH. The second option, gzip_static, pertains
> only to pre-compressed, static files, which are not applicable to
> BREACH, e.g.
>
> gzip -c -9 index.html > index.html.gz # or...
> zopfli index.html # better compression
>
> What are the related options in Apache? Other webservers?
>
> Nicolai
>
> [0] http://breachattack.com/
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
More information about the Cialug
mailing list