[Bug 1403283] Re: [Security] BREACH vulnerability is not mitigated in default configuration
Thomas Ward
teward at trekweb.org
Fri Dec 19 01:16:36 UTC 2014
Additional notes:
Disabling HTTP-level compression by default is not a decent option to
solving this. Mitigation is mostly on an application level, then,
however there are third-party modules that can be included (in the
Universe binaries) which would add length hiding as a potential
mitigation method.
A more detailed description on this whole issue can be found here on my
blog, describing what BREACH is and possible mitigation methods. It
also provides three possible mitigation methods, one which can be done
already by default, one which can be done at application levels, and one
which can be done with a separate module. http://dark-net.net/?p=49 is
the blog post. (aggregated on planet.ubuntu.com)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nginx in Ubuntu.
https://bugs.launchpad.net/bugs/1403283
Title:
[Security] BREACH vulnerability is not mitigated in default
configuration
To manage notifications about this bug go to:
https://bugs.launchpad.net/nginx/+bug/1403283/+subscriptions
More information about the Ubuntu-server-bugs
mailing list