[Cialug] Webserver mitigation against BREACH

Nicolai nicolai-cialug at chocolatine.org
Tue Aug 6 14:37:32 CDT 2013


On Tue, Aug 06, 2013 at 02:12:23PM -0500, Paul Gray wrote:
> On 08/06/2013 02:00 PM, Nicolai wrote:
> > What are the related options in Apache?  Other webservers?
> 
> Turn off the deflate module in Apache2.

Is it possible to restrict this change to an <IfDefine SSL> in
httpd.conf, or otherwise to SSL/TLS sessions?  I ask because some people
serve http and https from the same Apache instance, and it would be
unfortunate to disable compression system-wide when the attack only
concerns SSL/TLS.  I don't have an Apache2 instance to test.

Nicolai


More information about the Cialug mailing list