View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001144 | Main CAcert Website | misc | public | 2013-01-31 11:12 | 2013-07-16 20:52 |
| Reporter | hanno | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Product Version | 2013 Q1 | ||||
| Fixed in Version | 2013 Q2 | ||||
| Summary | 0001144: cacert.org enables TLS Compression (which is insecure, CRIME-attack) | ||||
| Description | TLS Compression is known to be insecure (see CRIME-attack). So it's advisable to disable it on SSL servers. The CAcert website has it enabled. Transferred data can still be compressed in a secure way on the http level. TLS Compression wasn't widely supported by browsers anyway, so there isn't much loss with disabling it. | ||||
| Tags | No tags attached. | ||||
| Reviewed by | |||||
| Test Instructions | |||||
|
|
By upgrading to Debian Squeeze on April 3, 2013, the CAcert webserver is no longer supporting TLS compression. Debian Squeeze released a security update DSA 2579-1 in November 2012, which turns of SSLCompression by default. We are running with that code base now on the CAcert production server as of April 3, 2013. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2013-01-31 11:12 | hanno | New Issue | |
| 2013-04-09 22:29 | INOPIAE | Assigned To | => wytze |
| 2013-04-09 22:39 | INOPIAE | Status | new => confirmed |
| 2013-04-10 14:11 | wytze | Note Added: 0003872 | |
| 2013-04-10 14:11 | wytze | Status | confirmed => solved? |
| 2013-04-10 14:11 | wytze | Fixed in Version | => 2013 Q2 |
| 2013-04-10 14:11 | wytze | Resolution | open => fixed |
| 2013-04-10 14:12 | wytze | Note Edited: 0003872 | |
| 2013-04-10 14:12 | wytze | Note Edited: 0003872 | |
| 2013-04-13 06:17 | INOPIAE | Product Version | => 2013 Q1 |
| 2013-07-16 20:52 | INOPIAE | Status | solved? => closed |
| 2013-07-16 20:52 | INOPIAE | Assigned To | wytze => |
