<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<div style="16px">Package: nginx-extras<br /></div><div style="16px">Version: 1.14.2-2<br /></div><div style="16px">Severity: wishlist<br /></div><div style="16px"><br /></div><div style="16px"><br /></div><div style="16px">Hello nginx maintainers,<br /></div><div style="16px"><br /></div><div style="16px">At the moment, nginx-extra package includes gzip module as one of the optional http modules. However it seems Gzip compression is vulnerable to BREACH [1] attack and the vulnerability researchers' recommendation is to disable Gzip compression. There are also discussions on stackexchange [2].<br /></div><div style="16px"><br /></div><div style="16px">Instead of disabling compression over TLS/SSL completely, Google seems to be using a different compression scheme Brotli [3]. Would you consider replacing nginx Gzip module with Brotli?<br /></div><div style="16px"><br /></div><div style="16px">Thanks,<br /></div><div style="16px">Abi,<br /></div><div style="16px"><br /></div><div style="16px">---<br /></div><div style="16px">[1] <a href="http://breachattack.com/#mitigations">http://breachattack.com/#mitigations</a><br /></div><div style="16px">[2] <a href="https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack">https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack</a><br /></div><div style="16px">[3] <a href="https://github.com/google/ngx_brotli">https://github.com/google/ngx_brotli</a><br /></div> </body>
</html>