[Pkg-nginx-maintainers] Bug#919320: nginx-extras: Would you please consider replacing Gzip module with Brotli for compression?

Abigaile Johannesburg abij at tuta.io
Mon Jan 14 23:34:01 GMT 2019 

Thanks for sharing your thought. But I just checked Google's home page, it is using 'content-encoding: br'. I wonder how they curb the security concern. 

Then how about keeping Gzip and include length_hiding module in nginx-extra instead? 

https://github.com/nulab/nginx-length-hiding-filter-module <https://github.com/nulab/nginx-length-hiding-filter-module>

Or we should not use any compression at all?

Thanks,
Abi

Jan 14, 2019, 11:05 PM by teward at dark-net.net:

> FYI if I remember right BREACH is a risk in Brotli as well.
>
> Also Brotli has a few code level concerns that the Ubuntu Security Team saw in a cursory review that could lead to crashes which made it judged 'not suitable for inclusion'.
>
> Just wanted to share this info.
>
> On Mon, Jan 14, 2019, 17:46 Abigaile Johannesburg <> abij at tuta.io <mailto:abij at tuta.io>>  wrote:
>
>> Package: nginx-extras
>> Version: 1.14.2-2
>> Severity: wishlist
>>
>>
>> Hello nginx maintainers,
>>
>> At the moment, nginx-extra package includes gzip module as one of the optional http modules. However it seems Gzip compression is vulnerable to BREACH [1] attack and the vulnerability researchers' recommendation is to disable Gzip compression. There are also discussions on stackexchange [2].
>>
>> Instead of disabling compression over TLS/SSL completely, Google seems to be using a different compression scheme Brotli [3]. Would you consider replacing nginx Gzip module with Brotli?
>>
>> Thanks,
>> Abi,
>>
>> ---
>> [1] >> http://breachattack.com/#mitigations <http://breachattack.com/#mitigations>
>> [2] >> https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack <https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack>
>> [3] >> https://github.com/google/ngx_brotli <https://github.com/google/ngx_brotli>
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nginx-maintainers/attachments/20190115/69cb2d43/attachment-0002.html>

More information about the Pkg-nginx-maintainers mailing list