1berry/nodejs
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

crypto: comment change on disabling compression

Browse Source 
This is a comment change, where it originally says disabling TLS
Compression protects against BEAST attack. But in fact, it is the
CRIME attack(Compression Ratio Info-leak Made Easy) that makes use
of TLS Compression and not BEAST.

BEAST(Browser Exploit Against SSL/TLS) is an entirely another variant
making use of the chosen boundary attack against CBC mode in
encryption.

Just making sure, that the exact reason for disabling TLS compression
must be made clear and not be misleading with some other attack.
This commit is contained in:
Ahamed Nafeez 2013-12-15 04:17:00 +05:30 committed by Fedor Indutny
parent 8803aa3af7
commit 8a79cca80c
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/node_crypto.cc
View File

@ -4060,7 +4060,7 @@ void InitCryptoOnce() {
CRYPTO_set_locking_callback(crypto_lock_cb);
CRYPTO_THREADID_set_callback(crypto_threadid_cb);
// Turn off compression. Saves memory and protects against BEAST attacks.
// Turn off compression. Saves memory and protects against CRIME attacks.
#if !defined(OPENSSL_NO_COMP)
#if OPENSSL_VERSION_NUMBER < 0x00908000L
STACK_OF(SSL_COMP)* comp_methods = SSL_COMP_get_compression_method();