Thanks. We've been segregating authenticated vs non-authenticated traffic to different domains for a few years now (we had the same realization as moot), but I was unaware about this specific exploit related to TLS compression.
That said, it seems on nginx TLS compression was not enabled by default, so we are ok (for this known vulnerability).
That said, it seems on nginx TLS compression was not enabled by default, so we are ok (for this known vulnerability).