What about BREACH (CVE-2013-3587)?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

What about BREACH (CVE-2013-3587)?

Rainer Duffner
Hi,


testssl.ch still laments about BREACH, when tested against a recent
nginx 1.16.

Qualys ssllabs doesn't mention it at all.


Is it fixed?

Can you safely enable gzip on ssl-vhosts?




Best Regards
Rainer
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: What about BREACH (CVE-2013-3587)?

J.R.
> testssl.ch still laments about BREACH, when tested against a recent
> nginx 1.16.
>
> Qualys ssllabs doesn't mention it at all.
>
> Is it fixed?
>
> Can you safely enable gzip on ssl-vhosts?

I think you are confusing TLS compression with HTTP compression...
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: What about BREACH (CVE-2013-3587)?

Rainer Duffner


Am 04.02.2020 um 21:38 schrieb J.R. <[hidden email]>:

I think you are confusing TLS compression with HTTP compression...



Probably.
I read that later somewhere else.

I just wonder why it’s lumped-in in testssl.sh.



_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: What about BREACH (CVE-2013-3587)?

Frank Liu

When using the SSL/TLS protocol, compressed responses may be subject to BREACH attacks.

On Tue, Feb 4, 2020 at 1:35 PM Rainer Duffner <[hidden email]> wrote:


Am 04.02.2020 um 21:38 schrieb J.R. <[hidden email]>:

I think you are confusing TLS compression with HTTP compression...



Probably.
I read that later somewhere else.

I just wonder why it’s lumped-in in testssl.sh.


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx