On Tue, Aug 20, 2013 at 5:12 PM, rmalayter wrote:
> No, the conclusion is: don't echo back values supplied by the requester as
> trusted in your *application* code. This is the most basic of
> anti-injection
> protections. BREACH is the result of an application-layer problem, and
> needs
> to be
B.R. Wrote:
> BREACH attacks the fact that compressed HTTP content encrypted with
> SSL
> makes it easy to guess a known existing header field from the request
> that
> is repeated in the (encrypted) answer looking at the size of the body.
> BEAST conclusion is: don't use HTTP compression underneat
On Mon, Aug 19, 2013 at 2:04 AM, Igor Sysoev wrote:
> Incorrect.
>
> CRIME attacks a vulnerability in the implementation of SSLv3 and TLS1.0
> using CBC flaw: the IV was guessable. Hte other vulnerability was a
> facilitator to inject automatically arbitrary content (so attackers could
> injec
On Aug 19, 2013, at 9:56 , B.R. wrote:
> On Mon, Aug 19, 2013 at 12:41 AM, Igor Sysoev wrote:
>
> These are different vulnerabilities: SSL compression is subject to
> CRIME vulnerability while HTTP/SSL compression is subject to BREACH
> vulnerability.
>
> Incorrect.
>
> CRIME attacks a vulner
On Mon, Aug 19, 2013 at 12:41 AM, Igor Sysoev wrote:
>
> These are different vulnerabilities: SSL compression is subject to
> CRIME vulnerability while HTTP/SSL compression is subject to BREACH
> vulnerability.
>
Incorrect.
CRIME attacks a vulnerability in the implementation of SSLv3 and TLS1.
On Aug 18, 2013, at 14:27 , howard chen wrote:
> Hi,
>
> Thanks for the insight.
>
> Finally I solved by:
>
> if ($scheme = https) {
> gzip off;
> }
This does not work on server level. And on location level it may work in wrong
way.
> Separating into two servers require to duplicate the
On Aug 18, 2013, at 21:09 , itpp2012 wrote:
> Igor Sysoev Wrote:
> ---
>> Yes, modern nginx versions do not use SSL compression.
> [...]
>> You have to split the dual mode server section into two server server
>> sections and set "gzip off"
>> SS
Hello,
On Sun, Aug 18, 2013 at 4:48 PM, itpp2012 wrote:
> I think we could all benefit from a nginx recommendation on using gzip with
> single and dual mode server sections regarding a hardening approach against
> breach. Maxim?
>
As Igor advised, 2 different servers to server HTTP & HTTPS req
I think we could all benefit from a nginx recommendation on using gzip with
single and dual mode server sections regarding a hardening approach against
breach. Maxim?
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,241953,241993#msg-241993
___
On Sun, Aug 18, 2013 at 12:31 PM, Paul N. Pace wrote:
> Igor said:
>>You have to split the dual mode server section into two server server
>>sections and set "gzip off"
>>SSL-enabled on. There is no way to disable gzip in dual mode server section,
>>but if you really
>>worry about security in ge
Igor said:
>You have to split the dual mode server section into two server server sections
>and set "gzip off"
>SSL-enabled on. There is no way to disable gzip in dual mode server section,
>but if you really
>worry about security in general the server sections should be different.
Adie said:
>Th
This discussion started regarding concerns about the BREACH, which (if you
documented about it) attacks SSL-encrypted HTTP-level-compressed data, thus
implying the discussion around gzip.
---
*B. R.*
___
nginx mailing list
nginx@nginx.org
http://mailman.n
I think you mistake ssl/tls level compression with gzip http compression,
both are different.
If you put gzip in http section, all server sections under this http will
inherits this gzip config.
This is why Igor recommends you to split the server config for SSL and
non-SSL, and put 'gzip on' only
On 18 August 2013 18:09, itpp2012 wrote:
> Igor Sysoev Wrote:
> ---
>> Yes, modern nginx versions do not use SSL compression.
> [...]
>> You have to split the dual mode server section into two server server
>> sections and set "gzip off"
>> SSL-e
Igor Sysoev Wrote:
---
> Yes, modern nginx versions do not use SSL compression.
[...]
> You have to split the dual mode server section into two server server
> sections and set "gzip off"
> SSL-enabled on. There is no way to disable gzip in dual m
I thought that "if" statements slowed nginx down?
On Sun, Aug 18, 2013 at 6:27 AM, howard chen wrote:
> Hi,
>
> Thanks for the insight.
>
> Finally I solved by:
>
> if ($scheme = https) {
> gzip off;
> }
>
> Separating into two servers require to duplicate the rules like rewrite,
> which is
Hi,
Thanks for the insight.
Finally I solved by:
if ($scheme = https) {
gzip off;
}
Separating into two servers require to duplicate the rules like rewrite,
which is cumbersome.
Thanks anyway
On Sat, Aug 17, 2013 at 8:43 PM, Igor Sysoev wrote:
> On Aug 17, 2013, at 8:59 , howard chen
On Aug 17, 2013, at 8:59 , howard chen wrote:
> Hi,
>
> As you know, due the breach attack (http://breachattack.com), HTTP
> compression is no longer safe (I assume nginx don't use SSL compression by
> default?), so we should disable it.
Yes, modern nginx versions do not use SSL compression.
Hi,
As you know, due the breach attack (http://breachattack.com), HTTP
compression is no longer safe (I assume nginx don't use SSL compression by
default?), so we should disable it.
Now, We are using config like the following:
gzip on;
..
server {
listen 127.0.0.1:80 default
19 matches
Mail list logo
