Subdomains *.compression.badssl.com

[BenBE]

To test for various types of compression issues (e.g. CRIME), a test subdomain offering encryption (one for deflate, and one for LZS each) would be nice:

• compression.badssl.com: Accept any compression (except NULL) offered
• deflate.compression.badssl.com: Accept only if deflate offered
• lzs.compression.badssl.com: Accept only if LZS offered

Connection should be accepted when the client offers the indicated compression method in its ClientHello.

[lgarron]

badssl.com is also focused on cases that result in different UI, rather than subtle vulnerabilities. Testing clients for compression vulnerabilities (/feature support) is more of a job for scanners like https://www.ssllabs.com/ssltest/viewMyClient.html

However, I don't see a strong reason not to include these, if someone wants to implement them. Do you have a use case in mind, especially where compression causes visible differences in the client?

(I also want to avoid a combinatorial explosion of subdomains, especially if it would require new certs. But we could certainly place a few compression-related domains directly under the wildcard cert.)