Thanks for sharing your thought. But I just checked Google's home page, it is 
using 'content-encoding: br'. I wonder how they curb the security concern. 

Then how about keeping Gzip and include length_hiding module in nginx-extra 
instead? 

https://github.com/nulab/nginx-length-hiding-filter-module 
<https://github.com/nulab/nginx-length-hiding-filter-module>

Or we should not use any compression at all?

Thanks,
Abi

Jan 14, 2019, 11:05 PM by [email protected]:

> FYI if I remember right BREACH is a risk in Brotli as well.
>
> Also Brotli has a few code level concerns that the Ubuntu Security Team saw 
> in a cursory review that could lead to crashes which made it judged 'not 
> suitable for inclusion'.
>
> Just wanted to share this info.
>
> On Mon, Jan 14, 2019, 17:46 Abigaile Johannesburg <> [email protected] 
> <mailto:[email protected]>>  wrote:
>
>> Package: nginx-extras
>> Version: 1.14.2-2
>> Severity: wishlist
>>
>>
>> Hello nginx maintainers,
>>
>> At the moment, nginx-extra package includes gzip module as one of the 
>> optional http modules. However it seems Gzip compression is vulnerable to 
>> BREACH [1] attack and the vulnerability researchers' recommendation is to 
>> disable Gzip compression. There are also discussions on stackexchange [2].
>>
>> Instead of disabling compression over TLS/SSL completely, Google seems to be 
>> using a different compression scheme Brotli [3]. Would you consider 
>> replacing nginx Gzip module with Brotli?
>>
>> Thanks,
>> Abi,
>>
>> ---
>> [1] >> http://breachattack.com/#mitigations 
>> <http://breachattack.com/#mitigations>
>> [2] >> 
>> https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack
>>  
>> <https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack>
>> [3] >> https://github.com/google/ngx_brotli 
>> <https://github.com/google/ngx_brotli>
>>

Reply via email to