[Pkg-nginx-maintainers] Bug#919320: nginx-extras: Would you please consider replacing Gzip module with Brotli for compression?
Abigaile Johannesburg
abij at tuta.io
Mon Jan 14 22:21:04 GMT 2019
Package: nginx-extras
Version: 1.14.2-2
Severity: wishlist
Hello nginx maintainers,
At the moment, nginx-extra package includes gzip module as one of the optional http modules. However it seems Gzip compression is vulnerable to BREACH [1] attack and the vulnerability researchers' recommendation is to disable Gzip compression. There are also discussions on stackexchange [2].
Instead of disabling compression over TLS/SSL completely, Google seems to be using a different compression scheme Brotli [3]. Would you consider replacing nginx Gzip module with Brotli?
Thanks,
Abi,
---
[1] http://breachattack.com/#mitigations <http://breachattack.com/#mitigations>
[2] https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack <https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack>
[3] https://github.com/google/ngx_brotli <https://github.com/google/ngx_brotli>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nginx-maintainers/attachments/20190114/e0f01372/attachment.html>
More information about the Pkg-nginx-maintainers
mailing list