|Chrome & CRIME & potential SPDY cookie header incompatibility issue||William Chan||9/21/12 2:40 PM|
As y'all have most likely heard of by now, SSL and SPDY compression is vulnerable to the CRIME attack (http://www.imperialviolet.org/2012/09/21/crime.html). To address the SPDY portion of this, in Chrome 21, we disabled SPDY compression in Chrome as a quick fix.
As Adam explains, we have a more complicated fix in Chrome 22 that is intended to regain most of the benefits of compression by compressing sensitive data separately. Unfortunately, in doing this fix, we removed the whitespace in the separator for Cookie values. Normally, values should be separated by "; ", but now they are separated by ";" only. See https://code.google.com/p/chromium/issues/detail?id=151433 for the Chromium bug report. It's possible that some servers may have compatibility issues with this change.
We're fixing both Chrome 22 (currently in beta channel) and Chrome 23 (currently in dev channel) now, but it's unclear when the fix for Chrome 22 will be released. Please feel free to contact us if this is problematic. We're trying to address this as fast as is reasonable. Sorry for any problems this may cause.
|Re: [spdy-dev] Chrome & CRIME & potential SPDY cookie header incompatibility issue||Patrick McManus||9/22/12 9:00 AM|
fwiw firefox 15 has upstream compression disabled to address the
immediate problem and we haven't decided on a course of action beyond that.