|
|
|
|
|
|
by philcrump
2690 days ago
|
|
|
My understanding is that the 'gzip' directive applies to HTTP compression, which is only performed on the body of the response (both in HTTP & HTTPS), and not SSL/TLS compression which compresses the headers and so is vulnerable to the CRIME attack. SSL/TLS compression has been disabled in nginx since 1.3.2[1] [1] http://mailman.nginx.org/pipermail/nginx-announce/2012/00008... |
|
|