SSL is now vulnerable to session hijacking in some circumstances. If your site runs SSL/TLS, the compression needs to be off.

 

http://threatpost.com/en_us/blogs/crime-attack-uses-compression-ratio-tls-requests-side-channel-hijack-secure-sessions-091312

http://security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-successor/19914#19914

 

Related posts:

  1. Security Mindset
  2. BlackHat 2012, part II
  3. Security and Hadoop
  4. Password fails, continued.