<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<div style="16px" text-align="left">Thanks for sharing your thought. But I just checked Google's home page, it is using 'content-encoding: br'. I wonder how they curb the security concern. <br /></div><div style="16px" text-align="left"><br /></div><div style="16px" text-align="left">Then how about keeping Gzip and include length_hiding module in nginx-extra instead? <br /></div><div style="16px" text-align="left"><br /></div><div style="16px"><a href="https://github.com/nulab/nginx-length-hiding-filter-module">https://github.com/nulab/nginx-length-hiding-filter-module</a><br /></div><div style="16px" text-align="left"><br /></div><div style="16px" text-align="left">Or we should not use any compression at all?<br /></div><div style="16px" text-align="left"><br /></div><div style="16px" text-align="left">Thanks,<br /></div><div style="16px" text-align="left">Abi<br /></div><div style="16px" text-align="left"><br /></div><div style="16px" text-align="left">Jan 14, 2019, 11:05 PM by teward@dark-net.net:<br /></div><blockquote class="tutanota_quote" style="border-left: 1px solid #93A3B8; padding-left: 10px; margin-left: 5px;"><div><div style="16px" text-align="left">FYI if I remember right BREACH is a risk in Brotli as well.<br /></div><div><br /></div><div>Also Brotli has a few code level concerns that the Ubuntu Security Team saw in a cursory review that could lead to crashes which made it judged 'not suitable for inclusion'.<br /></div><div><br /></div><div>Just wanted to share this info.<br /></div></div><div style="16px" text-align="left"><br /></div><div class=""><div>On Mon, Jan 14, 2019, 17:46 Abigaile Johannesburg <<a href="mailto:abij@tuta.io" rel="noopener noreferrer" target="_blank">abij@tuta.io</a> wrote:<br /></div><blockquote class="" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>Package: nginx-extras<br /></div><div>Version: 1.14.2-2<br /></div><div>Severity: wishlist<br /></div><div><br /></div><div><br /></div><div>Hello nginx maintainers,<br /></div><div><br /></div><div>At the moment, nginx-extra package includes gzip module as one of the optional http modules. However it seems Gzip compression is vulnerable to BREACH [1] attack and the vulnerability researchers' recommendation is to disable Gzip compression. There are also discussions on stackexchange [2].<br /></div><div><br /></div><div>Instead of disabling compression over TLS/SSL completely, Google seems to be using a different compression scheme Brotli [3]. Would you consider replacing nginx Gzip module with Brotli?<br /></div><div><br /></div><div>Thanks,<br /></div><div>Abi,<br /></div><div><br /></div><div>---<br /></div><div>[1] <a href="http://breachattack.com/#mitigations" rel="noopener noreferrer" target="_blank">http://breachattack.com/#mitigations</a><br /></div><div>[2] <a href="https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack" rel="noopener noreferrer" target="_blank">https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack</a><br /></div><div>[3] <a href="https://github.com/google/ngx_brotli" rel="noopener noreferrer" target="_blank">https://github.com/google/ngx_brotli</a><br /></div></div></blockquote></div></blockquote><div style="16px" text-align="left"><br /></div> </body>
</html>