Security exploits
- CRIME
- disable TLS/SPDY compression.
- BREACH
- turn off HTTP compression. Works, but performance hit.
- CSRF Token Defence, application changes needed.
- HTTP Chunked Encoding Mitigation, http://nginx.org/en/docs/http/ngx_http_core_module.html#chunked_transfer_encoding
- Compression can safely by enabled for http traffic.
- https://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/#breach
- http://breachattack.com/
- https://community.qualys.com/blogs/securitylabs/2013/08/07/defending-against-the-breach-attack
Some tips on configuration
- ssl_protocols
TLSv1 TLSv1.1 TLSv1.2;
- Review ssl_ciphers
Read more
Labels:
None