[Pkg-nginx-maintainers] Bug#919320: nginx-extras: Would you please consider replacing Gzip module with Brotli for compression?
Thomas Ward
teward at dark-net.net
Mon Jan 14 23:05:47 GMT 2019
FYI if I remember right BREACH is a risk in Brotli as well.
Also Brotli has a few code level concerns that the Ubuntu Security Team saw
in a cursory review that could lead to crashes which made it judged 'not
suitable for inclusion'.
Just wanted to share this info.
On Mon, Jan 14, 2019, 17:46 Abigaile Johannesburg <abij at tuta.io wrote:
> Package: nginx-extras
> Version: 1.14.2-2
> Severity: wishlist
>
>
> Hello nginx maintainers,
>
> At the moment, nginx-extra package includes gzip module as one of the
> optional http modules. However it seems Gzip compression is vulnerable to
> BREACH [1] attack and the vulnerability researchers' recommendation is to
> disable Gzip compression. There are also discussions on stackexchange [2].
>
> Instead of disabling compression over TLS/SSL completely, Google seems to
> be using a different compression scheme Brotli [3]. Would you consider
> replacing nginx Gzip module with Brotli?
>
> Thanks,
> Abi,
>
> ---
> [1] http://breachattack.com/#mitigations
> [2]
> https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack
> [3] https://github.com/google/ngx_brotli
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nginx-maintainers/attachments/20190114/5e58bcda/attachment-0001.html>
More information about the Pkg-nginx-maintainers
mailing list