Disable TLS Compression for Security
TLS connections should not use compression to prevent security risks.
Plain language
This control is about turning off a feature called TLS compression in secure online connections. It matters because if TLS compression is on, it might let cyber attackers steal sensitive information like passwords or credit card numbers by exploiting weaknesses in the way data is compressed. This could lead to data breaches or financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Transport Layer SecurityOfficial control statement
TLS compression is disabled for TLS connections.
Why it matters
If TLS compression is used, attackers might exploit CRIME-like vulnerabilities to steal sensitive data, risking financial and reputational damage.
Operational notes
Regularly verify TLS configuration does not allow compression (e.g., openssl/nmap scans) after patches or upgrades, as some updates can re-enable it.
Implementation tips
- The IT team should check the settings on all servers and applications to make sure TLS compression is turned off. They can do this by reviewing the configuration files or settings panels where encrypted communication options are set. A step-by-step guide or checklist can help ensure nothing is overlooked.
- System administrators should regularly update the documentation for all software that uses TLS to ensure current settings are always recorded. They should include screenshots or descriptions of the relevant settings, noting locations where TLS compression options are configured.
- IT managers should coordinate with their vendors or service providers to confirm that products and services they use also have TLS compression disabled. They should request confirmation in writing that the vendors do not enable this feature in their services.
- Cybersecurity consultants or IT security personnel should conduct security assessments on organisation networks to verify that TLS compression is disabled. They can use specific testing tools to simulate attacks to ensure the settings are secure.
- Technology procurement staff should include requirements to disable TLS compression in their vendor and purchase agreements. Before finalizing any contract, review technical specifications to ensure compatibility with this security requirement.
Audit / evidence tips
-
Askthe server configuration documents: Request the configuration files or documentation showing TLS settings for all servers
Goodis clear documentation showing TLS compression explicitly disabled
-
Asknetwork security assessment reports: Request a recent security audit report related to TLS configurations
Goodis a detailed report with no vulnerabilities found related to TLS compression
-
Askcommunication logs with vendors: Request emails or letters where vendors confirm their products have TLS compression disabled
Goodis a clear statement from the vendor addressing the TLS compression status
-
Askabout personnel training records: Request records showing training sessions for IT staff on setting up TLS correctly
Goodincludes comprehensive logs of training and materials used
-
Askthe change management documentation: Request logs from any system changes involving TLS configurations
Goodincludes change requests and completion notes stating TLS compression was disabled
Cross-framework mappings
How ISM-1553 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.20 | ISM-1553 requires TLS compression to be disabled for TLS connections to reduce protocol-level cryptographic risk | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.