Appearances are De
on their next atta
No Longer Just a G
Hemorrhoid Permane
Sport Cars, On and
Ductile Disfunctio
Why Aren't You Swi
You Better Be Wear
We Found Our Zombi
Greatest of the Gr

Udder Revenge
They took me home
War is Not Pretty
Now That's a Rewar
It Comes Down to T
Cut Throat
This Is My Time
Cornhole and
Persona Non Grata
Long Hard Days
<<      >>
hertzbleed.com/docs/mitigation/ A: A vulnerability of this type is referred to as an oracle vulnerability and, although there is no standard name for this issue, the most common names for it are CRIME and BREACH. The article you linked to explains it in detail and contains detailed guidance on how to mitigate this kind of vulnerability in your environment. Some of the recommendations include disabling SSLv3 (as suggested by @Fayland) and configuring a host key in browsers that are enabled for auto-update. You can read the full article for more detailed information. A: I found a mitigation that worked well for me. I modified apache's configuration so that a warning page would be returned for all invalid HTTP requests. See https://www.owasp.org/index.php/OWASP_CRIME I'd imagine other web servers are susceptible to the same issue, and there should be a mitigation that works for them as well. (I didn't use nginx) Here's an example: if ($invalid_request) { http_response_code 400; error_page 400 = @warningpage; } Hope that helps someone! A: The ciphers used in SSL should be at least TLS 1.1 and 1.2. A cipher such as RC4 will be no longer considered secure as of 2015. It is better to be conservative and avoid legacy protocols like SSLv3 and TLS 1.0, and be as modern as possible. You can see more about this in our blog post titled “How to stay secure online”. I found this guide on how to disable SSLv3: https://security.stackexchange.com/questions/5166/disabling-sslv3-and-tls-protocols-in-apache2 To change Apache’s config file to disable SSLv3 support (and thus make it vulnerable to the CRIME attack), add this to your SSL configuration file (ssl.conf) # Disable SSL v3 protocol. SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2 Remember to restart your apache service after applying the changes. Source: https://security.stackexchange.com/questions/4149/how-to-disable-sslv3 And you can find more information on the OpenSSL website on disabling SSLv3: http://www.openssl.org/docs/apps/ssl/ssl-conf.html#CIPHER_STRINGS SSL_OP_NO_TLSv1 SSL_OP_NO_TLSv1_1 SSL_OP_NO_TLSv1_2 The TLS 1.0, TLS 1.1, and TLS 1.2 protocol versions are disabled. See the “Legacy protocols (SSL v2/v3)” section. Here is another tool you can use to tell if your SSL is vulnerable to the CRIME attack: http://filippo.io/null-byte-crimes/ You can test your own website as well, here is a website to try it out: http://cipherli.st Finally, here is another way to test: curl -o ~/cr.sh --create-dirs -u somebody:hello http://whatismyip.akamai.com:1079/hello for i in {1..9}; do curl -o ~/cr.sh --create-dirs -u somebody:hello http://whatismyip.akamai.com:1079/hello >& /dev/null sleep 1 rm ~/cr.sh done Or use openssl directly with this command: openssl s_client -cipher 'ALL:-VERS-ALL:+VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2' -connect localhost:443 < /dev/null | grep 'server support: TLSv1\|TLSv1.1\|TLSv1.2' | sed -r "s/.*server support: ([TLSv1\.0]*).*/\1/" (Note, I know for a fact that the above is wrong, but it works for me and I can't find the error. It should be fixed soon.) Another tool you can use is OpenSSL: openssl s_client -connect localhost:443 < /dev/null | grep 'server support: TLSv1\|TLSv1.1\|TLSv1.2' | sed -r "s/.*server support: ([TLSv1\.0]*).*/\1/" Lastly, you can use ssllabs.com's site. You can try their test page here: https://https.ssllabs.com/ssldb/index.html And see if any of these tests come back positive and you're affected by CRIME. If you have multiple sites and are running IIS, you may need to look into this blog for more information: http://blog.kalzumeus.com/2011/04/28/is-your-web-server-vulnerable-to-the-wide-vine-attack/ And I should add this blog post