[From nobody Fri Jun 12 19:27:06 2026
Received: (at submit) by bugs.debian.org; 14 Jan 2019 22:21:07 +0000
X-Spam-Checker-Version: SpamAssassin 3.4.2-bugs.debian.org_2005_01_02
 (2018-09-13) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-9.6 required=4.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HAS_PACKAGE,HTML_MESSAGE,
 MULTALT,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_PASS,TXREP,VERSION
 autolearn=ham autolearn_force=no
 version=3.4.2-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 7; hammy, 118; neutral, 31; spammy, 3.
 spammytokens:0.958-+--H*ct:HHHHHH, 0.912-+--H*ct:HHHHHHHHHHHHH, 
 0.857-6--H*ct:PHrt hammytokens:0.000-+--nginx,
 0.000-+--UD:github.com, 
 0.000-+--githubcom, 0.000-+--github.com, 0.000-+--nginxextras
Return-path: &lt;abij@tuta.io&gt;
Received: from w1.tutanota.de ([81.3.6.162])
 by buxtehude.debian.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.89) (envelope-from &lt;abij@tuta.io&gt;) id 1gjAbT-0008Ej-AB
 for submit@bugs.debian.org; Mon, 14 Jan 2019 22:21:07 +0000
Received: from w2.tutanota.de (unknown [192.168.1.163])
 by w1.tutanota.de (Postfix) with ESMTP id CA915FA0F58
 for &lt;submit@bugs.debian.org&gt;; Mon, 14 Jan 2019 22:21:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tuta.io; s=20161216;
 t=1547504464; bh=Mz1DS9qhAd6Sdn9R006pVYz+7I3moQjZHOOOZ9Ex8L0=;
 h=Date:From:To:Subject:From;
 b=yERjD0Ij+RvUx60BAjs9S87zg18667cxRKNlkJKG0ZtXGv3gdm9dDa8TuT7dcJUtr
 iIY/INBX9a638HxpvE0tg3r/Ny5BAYUtPl1xRu3YtrRACeo/abr3kWAMjyMcatcA/D
 95iE4+j93vNIDuBrUzFU4qBqU5zUPzYAmSspWmCTZ8KfZRMeP6aejkzD2+loLVKPOd
 wiv7IFEdpNdb2VS79gcDABlefJ9d7RpW5RETV9iNkklpRBxr7mrieNpO7kOCY538ke
 M43576PzcARdITilv5X1VtGmbvbqr67C8Ol+yj5i7PGEGu7hL5f3IQjT5ONlMrEFSt
 hKSCNVTodgnxA==
Date: Mon, 14 Jan 2019 23:21:04 +0100 (CET)
From: Abigaile Johannesburg &lt;abij@tuta.io&gt;
To: Submit &lt;submit@bugs.debian.org&gt;
Message-ID: &lt;LWDS1iG--3-1@tuta.io&gt;
Subject: nginx-extras: Would you please consider replacing Gzip module with
 Brotli for compression?
MIME-Version: 1.0
Content-Type: multipart/alternative; 
 boundary=&quot;----=_Part_233026_49473265.1547504464823&quot;
Delivered-To: submit@bugs.debian.org

------=_Part_233026_49473265.1547504464823
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Package: nginx-extras
Version: 1.14.2-2
Severity: wishlist


Hello nginx maintainers,

At the moment, nginx-extra package includes gzip module as one of the optional http modules. However it seems Gzip compression is vulnerable to BREACH [1] attack and the vulnerability researchers' recommendation is to disable Gzip compression. There are also discussions on stackexchange [2].

Instead of disabling compression over TLS/SSL completely, Google seems to be using a different compression scheme Brotli [3]. Would you consider replacing nginx Gzip module with Brotli?

Thanks,
Abi,

---
[1] http://breachattack.com/#mitigations &lt;http://breachattack.com/#mitigations&gt;
[2] https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack &lt;https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack&gt;
[3] https://github.com/google/ngx_brotli &lt;https://github.com/google/ngx_brotli&gt;

------=_Part_233026_49473265.1547504464823
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

&lt;html&gt;
  &lt;head&gt;
    &lt;meta http-equiv=3D&quot;content-type&quot; content=3D&quot;text/html; charset=3DUTF-8=
&quot;&gt;
  &lt;/head&gt;
  &lt;body&gt;
&lt;div style=3D&quot;16px&quot;&gt;Package: nginx-extras&lt;br /&gt;&lt;/div&gt;&lt;div style=3D&quot;16px&quot;&gt;Ve=
rsion: 1.14.2-2&lt;br /&gt;&lt;/div&gt;&lt;div style=3D&quot;16px&quot;&gt;Severity: wishlist&lt;br /&gt;&lt;/di=
v&gt;&lt;div style=3D&quot;16px&quot;&gt;&lt;br /&gt;&lt;/div&gt;&lt;div style=3D&quot;16px&quot;&gt;&lt;br /&gt;&lt;/div&gt;&lt;div styl=
e=3D&quot;16px&quot;&gt;Hello nginx maintainers,&lt;br /&gt;&lt;/div&gt;&lt;div style=3D&quot;16px&quot;&gt;&lt;br /&gt;&lt;/=
div&gt;&lt;div style=3D&quot;16px&quot;&gt;At the moment, nginx-extra package includes gzip mo=
dule as one of the optional http modules. However it seems Gzip compression=
 is vulnerable to BREACH [1] attack and the vulnerability researchers' reco=
mmendation is to disable Gzip compression. There are also discussions on st=
ackexchange [2].&lt;br /&gt;&lt;/div&gt;&lt;div style=3D&quot;16px&quot;&gt;&lt;br /&gt;&lt;/div&gt;&lt;div style=3D&quot;1=
6px&quot;&gt;Instead of disabling compression over TLS/SSL completely, Google seems=
 to be using a different compression scheme Brotli [3]. Would you consider =
replacing nginx Gzip module with Brotli?&lt;br /&gt;&lt;/div&gt;&lt;div style=3D&quot;16px&quot;&gt;&lt;br=
 /&gt;&lt;/div&gt;&lt;div style=3D&quot;16px&quot;&gt;Thanks,&lt;br /&gt;&lt;/div&gt;&lt;div style=3D&quot;16px&quot;&gt;Abi,&lt;br=
 /&gt;&lt;/div&gt;&lt;div style=3D&quot;16px&quot;&gt;&lt;br /&gt;&lt;/div&gt;&lt;div style=3D&quot;16px&quot;&gt;---&lt;br /&gt;&lt;/div=
&gt;&lt;div style=3D&quot;16px&quot;&gt;[1] &lt;a href=3D&quot;http://breachattack.com/#mitigations&quot;&gt;h=
ttp://breachattack.com/#mitigations&lt;/a&gt;&lt;br /&gt;&lt;/div&gt;&lt;div style=3D&quot;16px&quot;&gt;[2] =
&lt;a href=3D&quot;https://security.stackexchange.com/questions/65625/current-state=
-of-breach-gzip-ssl-attack&quot;&gt;https://security.stackexchange.com/questions/65=
625/current-state-of-breach-gzip-ssl-attack&lt;/a&gt;&lt;br /&gt;&lt;/div&gt;&lt;div style=3D&quot;16=
px&quot;&gt;[3] &lt;a href=3D&quot;https://github.com/google/ngx_brotli&quot;&gt;https://github.com=
/google/ngx_brotli&lt;/a&gt;&lt;br /&gt;&lt;/div&gt;  &lt;/body&gt;
&lt;/html&gt;

------=_Part_233026_49473265.1547504464823--
]