Any server-side defenses? [LWN.net]

Any server-side defenses?

Posted Sep 13, 2012 21:12 UTC (Thu) by kmself (guest, #11565)
Parent article: CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions (threatpost)

I've confirmed that we're NOT employing SSL compression locally, and I'v inquired with our load balancer (we terminate SSL on the LB) vendor regarding updates (they're unaware of the issue yet).

That said: is this an attack which can be addressed on the server side, or does it depend on client-side updates as mentioned in the article?

to post comments

Any server-side defenses?

Posted Sep 13, 2012 21:26 UTC (Thu) by cyanit (guest, #86671) [Link]

The server chooses whether to use compression in the ServerHello, so it should be possible to have the server avoid requesting compression at all.

Some non-compliant clients might perhaps not like it though, not sure.

Of course, this is suboptimal compared to the client avoiding compression of sensitive parts, but I'm not sure how the server could detect that the client is fixed.

Maybe the TLS standard should be amended to add new compression algorithm identifiers that tell the server that the client knows to securely compress HTTP requests.