Though to some it may seem overblown, enough has been made in the past few days of the BREACH attack on SSL/TLS for the Django team to release an advisory. From what I can see, webfaction seems to add deflate compression to all SSL sites transparently through its nginx setup. So, I suppose what I'm asking is whether there's a way to disable deflate compression for our webapps or whether Webfaction has some other mitigation plan for BREACH. asked 06 Aug '13, 14:05 ris |
We'll be disabling gzip compression for websites served via HTTPS in the coming days, after we've done a bit of testing. answered 07 Aug '13, 10:19 seanf |
Our Security team is researching possibilities involving this particular attack now. We currently have no other info, in the meantime you should perform the other recommendations in the above links, most importantly use CSRF on every form. answered 06 Aug '13, 17:41 johns |