Mirrored documentation

This page is a faithful mirror of the original Apache mod_pagespeed documentation (Apache License 2.0). The upstream project was retired and the modpagespeed.com domain is now operated by an unrelated commercial vendor; we host the original reference so users of nginx-module-pagespeed from GetPageSpeed can rely on a stable copy.

mod_pagespeed and ngx_pagespeed Security Advisory: SSL fetching man-in-the-middle attack.

Disclosed: June 17th, 2014

Versions Affected: - mod_pagespeed 1.7.30.1 through 1.7.30.4 (fixed in 1.7.30.5) - mod_pagespeed and ngx_pagespeed 1.8.31.1 through 1.8.31.3 (fixed in 1.8.31.4)

Summary: Some versions of mod_pagespeed and ngx_pagespeed, in order to support fetching of HTTPS content, link in versions of OpenSSL that are vulnerable to a man-in-the-middle attack. This attack permits an adversary that can monitor and alter traffic between a client (mod_pagespeed or ngx_pagespeed in this case) and a server to decrypt and modify encrypted transfers, as long as both are running vulnerable versions (see CVE-2014-0224 for more detail).

mod_pagespeed and ngx_pagespeed users are only vulnerable if they turn on the optional FetchHttps feature.

Solution: For mod_pagespeed, update to one of versions 1.7.30.5-stable, 1.8.31.4-beta or newer.

For ngx_pagespeed, update to 1.8.31.4-beta or newer.

Workaround: Use a method other than FetchHttps to fetch https content, as described in HTTP Support documentation.