Open BenBE opened 7 years ago
badssl.com is also focused on cases that result in different UI, rather than subtle vulnerabilities. Testing clients for compression vulnerabilities (/feature support) is more of a job for scanners like https://www.ssllabs.com/ssltest/viewMyClient.html
However, I don't see a strong reason not to include these, if someone wants to implement them. Do you have a use case in mind, especially where compression causes visible differences in the client?
(I also want to avoid a combinatorial explosion of subdomains, especially if it would require new certs. But we could certainly place a few compression-related domains directly under the wildcard cert.)
To test for various types of compression issues (e.g. CRIME), a test subdomain offering encryption (one for deflate, and one for LZS each) would be nice:
Connection should be accepted when the client offers the indicated compression method in its ClientHello.