ClearOS Documentation

×

Warning

0 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


SSL Compression Methods Supported

This entry from Security Metrics suggests that there is some risk associated with negotiation of SSL Compression methods in HTTPS.

ClearCenter response

Short response

Negotiation of protocol compression is allowed under protocol. This is not a risk.

Long response

In order to use protocol compression in SSL, both parties must agree on the methods that they will use. It is common for the server to offer the list of methods that can be used. Such information is only usable to the endpoints can is not a risk. Even in instances where a man-in-the-middle attack is present, such information is largely useless in and of itself.

Compression is not security nor is it intended to be security. This should not even be a factor of security analysis.

Resolution

No action required.

content/en_us/kb_3rdparty_security_metrics_ssl_compression_methods_supported.txt · Last modified: 2015/01/29 09:48 (external edit)

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3Akb_3rdparty_security_metrics_ssl_compression_methods_supported&1568831466