
« Stack Exchange Security Blog - wglb
http://security.blogoverflow.com/2012/09/how-can-you-protect-yourself-from-crime-beasts-successor/
======
tnorthcutt
This could really do with a more descriptive title (the HN submission, not the
blog post).

------
dexen
_> (...)compression at the SSL level. HTTP also includes optional compression,
but this one applies only to the body of the requests and responses, not the
header, and thus does not cover the Cookie: header line. HTTP-level
compression is fine._

Guess SPDY is also subject to similar attack -- given that it compresses
headers just as well.

------
peterwwillis
SPDY has header+body DEFLATE compression by design. And if all Google Chrome
requests to google.com use SPDY... that's... a little scary.

Edit: i'm wrong, apparently body compression was removed, added back in, then
removed again: [https://groups.google.com/forum/#!topic/spdy-
dev/HXkhL6TASN4...](https://groups.google.com/forum/#!topic/spdy-
dev/HXkhL6TASN4/discussion)

