Thanks for sharing your thought. But I just checked Google's home page, it is using 'content-encoding: br'. I wonder how they curb the security concern.
Then how about keeping Gzip and include length_hiding module in nginx-extra instead? https://github.com/nulab/nginx-length-hiding-filter-module <https://github.com/nulab/nginx-length-hiding-filter-module> Or we should not use any compression at all? Thanks, Abi Jan 14, 2019, 11:05 PM by [email protected]: > FYI if I remember right BREACH is a risk in Brotli as well. > > Also Brotli has a few code level concerns that the Ubuntu Security Team saw > in a cursory review that could lead to crashes which made it judged 'not > suitable for inclusion'. > > Just wanted to share this info. > > On Mon, Jan 14, 2019, 17:46 Abigaile Johannesburg <> [email protected] > <mailto:[email protected]>> wrote: > >> Package: nginx-extras >> Version: 1.14.2-2 >> Severity: wishlist >> >> >> Hello nginx maintainers, >> >> At the moment, nginx-extra package includes gzip module as one of the >> optional http modules. However it seems Gzip compression is vulnerable to >> BREACH [1] attack and the vulnerability researchers' recommendation is to >> disable Gzip compression. There are also discussions on stackexchange [2]. >> >> Instead of disabling compression over TLS/SSL completely, Google seems to be >> using a different compression scheme Brotli [3]. Would you consider >> replacing nginx Gzip module with Brotli? >> >> Thanks, >> Abi, >> >> --- >> [1] >> http://breachattack.com/#mitigations >> <http://breachattack.com/#mitigations> >> [2] >> >> https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack >> >> <https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack> >> [3] >> https://github.com/google/ngx_brotli >> <https://github.com/google/ngx_brotli> >>

