HTTP response compression and related security exploits

Security exploits

• BEAST
  • "The vulnerability of the attack had been fixed with TLS 1.1 in 2006." src
  • Disable TLS compression. This attack is similar in nature to the recent RC4 attacks, but practical. src
  • Support TLS 1.2 and GCM as soon as possible. src

• CRIME
  • disable TLS/SPDY compression.

• BREACH
  • turn off HTTP compression. Works, but performance hit.
  • CSRF Token Defence, application changes needed.
  • HTTP Chunked Encoding Mitigation, http://nginx.org/en/docs/http/ngx_http_core_module.html#chunked_transfer_encoding
  • Compression can safely by enabled for http traffic.
  • https://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/#breach
  • http://breachattack.com/
  • https://community.qualys.com/blogs/securitylabs/2013/08/07/defending-against-the-breach-attack

Some tips on configuration

• ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
• Review ssl_ciphers
  • https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
  • https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
  • http://security.stackexchange.com/questions/54639/nginx-recommended-ssl-ciphers-for-security-compatibility-with-pfs

Read more

• HTTP request compression

• SSL Server test

• https://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/

• https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

• http://nulab-inc.com/blog/nulab/securing-nginx/

• http://zoompf.com/blog/2012/02/lose-the-wait-http-compression