View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0001144 | Main CAcert Website | misc | public | 2013-01-31 11:12 | 2013-07-16 20:52 |
Reporter | hanno | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 2013 Q1 | ||||
Fixed in Version | 2013 Q2 | ||||
Summary | 0001144: cacert.org enables TLS Compression (which is insecure, CRIME-attack) | ||||
Description | TLS Compression is known to be insecure (see CRIME-attack). So it's advisable to disable it on SSL servers. The CAcert website has it enabled. Transferred data can still be compressed in a secure way on the http level. TLS Compression wasn't widely supported by browsers anyway, so there isn't much loss with disabling it. | ||||
Tags | No tags attached. | ||||
Reviewed by | |||||
Test Instructions | |||||
|
By upgrading to Debian Squeeze on April 3, 2013, the CAcert webserver is no longer supporting TLS compression. Debian Squeeze released a security update DSA 2579-1 in November 2012, which turns of SSLCompression by default. We are running with that code base now on the CAcert production server as of April 3, 2013. |
Date Modified | Username | Field | Change |
---|---|---|---|
2013-01-31 11:12 | hanno | New Issue | |
2013-04-09 22:29 | INOPIAE | Assigned To | => wytze |
2013-04-09 22:39 | INOPIAE | Status | new => confirmed |
2013-04-10 14:11 | wytze | Note Added: 0003872 | |
2013-04-10 14:11 | wytze | Status | confirmed => solved? |
2013-04-10 14:11 | wytze | Fixed in Version | => 2013 Q2 |
2013-04-10 14:11 | wytze | Resolution | open => fixed |
2013-04-10 14:12 | wytze | Note Edited: 0003872 | |
2013-04-10 14:12 | wytze | Note Edited: 0003872 | |
2013-04-13 06:17 | INOPIAE | Product Version | => 2013 Q1 |
2013-07-16 20:52 | INOPIAE | Status | solved? => closed |
2013-07-16 20:52 | INOPIAE | Assigned To | wytze => |