View Issue Details

IDProjectCategoryView StatusLast Update
0001144Main CAcert Websitemiscpublic2013-07-16 20:52
Reporterhanno Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version2013 Q1 
Fixed in Version2013 Q2 
Summary0001144: cacert.org enables TLS Compression (which is insecure, CRIME-attack)
DescriptionTLS Compression is known to be insecure (see CRIME-attack). So it's advisable to disable it on SSL servers. The CAcert website has it enabled.

Transferred data can still be compressed in a secure way on the http level. TLS Compression wasn't widely supported by browsers anyway, so there isn't much loss with disabling it.
TagsNo tags attached.
Reviewed by
Test Instructions

Activities

wytze

2013-04-10 14:11

developer   ~0003872

Last edited: 2013-04-10 14:12

View 3 revisions

By upgrading to Debian Squeeze on April 3, 2013, the CAcert webserver is no longer supporting TLS compression. Debian Squeeze released a security update DSA 2579-1 in November 2012, which turns of SSLCompression by default. We are running with that code base now on the CAcert production server as of April 3, 2013.

Issue History

Date Modified Username Field Change
2013-01-31 11:12 hanno New Issue
2013-04-09 22:29 INOPIAE Assigned To => wytze
2013-04-09 22:39 INOPIAE Status new => confirmed
2013-04-10 14:11 wytze Note Added: 0003872
2013-04-10 14:11 wytze Status confirmed => solved?
2013-04-10 14:11 wytze Fixed in Version => 2013 Q2
2013-04-10 14:11 wytze Resolution open => fixed
2013-04-10 14:12 wytze Note Edited: 0003872 View Revisions
2013-04-10 14:12 wytze Note Edited: 0003872 View Revisions
2013-04-13 06:17 INOPIAE Product Version => 2013 Q1
2013-07-16 20:52 INOPIAE Status solved? => closed
2013-07-16 20:52 INOPIAE Assigned To wytze =>