Saturday, 15 June 2013

nginx - HTTPS + gzip: Is it a security vulnerability if I only gzip non-sensitive files? -


As I understand, if I use it with SSL / HTTPS, a security vulnerability (breach / crime) Open it. / P>

What if I only use it on my CSS and JS files, is it still a security vulnerability if those files are served on my HTTPS server?

What I think is not the answer - it is not security vulnerability. The plain text selected for highlighting the original plain text in the crime / BEAST attack has been selected; In your case it will be CSS and Javascript, which do not take security values. (Possibly, you serve them on HTTPS to avoid compromised content warnings on the browser.)

Attack can not highlight symmetric keys per session, so it does not affect your sensitive content. Assuming that it is gzip / air removal. Of course, if you want to ensure 100%, then you can consider the selected encoding of gzip according to this article:


No comments:

Post a Comment