Re: disable SSL compression?

Peter Eisentraut <peter.eisentraut@2ndquadrant.com> writes:
> I agree the attack is less likely to be applicable in typical database
> installations.  I think we should move forward with considering protocol
> compression proposals, but any final result should put a warning in the
> documentation that using compression is potentially insecure.

It seemed like the attack you described wasn't all that dependent on
whether the data is compressed or not: if you can see the size of the
server's reply to "select ... where account_number = x", you can pretty
well tell the difference between 0 and 1 rows, with or without
compression.  So I'm still not very clear on what the threat model is.

            regards, tom lane