https://bz.apache.org/bugzilla/show_bug.cgi?id=64431
--- Comment #4 from Craig <candr...@integralblue.com> --- > > CRIME, BREACH. > CRIME is a vulnerability that applies to TLS compression - I'm not suggesting here that TLS compression be used (it was actually removed in TLS 1.3). So I don't believe CRIME is relevant. BREACH is relevant... There are mitigations (such as SameSite cookies), but there's no guarantee that applications running Tomcat have implemented them. So I see your point :) Roes Tomcat have any mitigations for BREACH in place today? It seems Tomcat doesn't do any kind of random response padding (such as with empty response chunks or randomly sized response chunking). -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
