HTTP response compression and related security exploits

Security exploits

• BEAST
• "The vulnerability of the attack had been fixed with TLS 1.1 in 2006." src
• Disable TLS compression. This attack is similar in nature to the recent RC4 attacks, but practical. src

• Support TLS 1.2 and GCM as soon as possible. src

• CRIME

• disable TLS/SPDY compression.

• BREACH

• turn off HTTP compression. Works, but performance hit.
• CSRF Token Defence, application changes needed.
• HTTP Chunked Encoding Mitigation, http://nginx.org/en/docs/http/ngx_http_core_module.html#chunked_transfer_encoding
• Compression can safely by enabled for http traffic.
• https://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/#breach
• http://breachattack.com/
• https://community.qualys.com/blogs/securitylabs/2013/08/07/defending-against-the-breach-attack

Some tips on configuration

• ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
• Review ssl_ciphers
• https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
• https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
• http://security.stackexchange.com/questions/54639/nginx-recommended-ssl-ciphers-for-security-compatibility-with-pfs

Read more

• HTTP request compression

• SSL Server test

• https://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/

• https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

• http://nulab-inc.com/blog/nulab/securing-nginx/

• http://zoompf.com/blog/2012/02/lose-the-wait-http-compression