Welcome! Log In Create A New Profile

Advanced

Re: How to turn off gzip compression for SSL traffic

August 20, 2013 05:12PM
B.R. Wrote:
> BREACH attacks the fact that compressed HTTP content encrypted with
> SSL
> makes it easy to guess a known existing header field from the request
> that
> is repeated in the (encrypted) answer looking at the size of the body.
> BEAST conclusion is: don't use HTTP compression underneath SSL
> encryption.

No, the conclusion is: don't echo back values supplied by the requester as trusted in your *application* code. This is the most basic of anti-injection protections. BREACH is the result of an application-layer problem, and needs to be solved there. Why would you *ever* echo arbitrary header or form input back to the requester alongside sensitive data?

A huge number of established security best practices prevent the BREACH attack at the application layer; a man-in-the-middle as well as an exploitable XSS/CSRF vulnerability is needed to even get the attack started. Fix those issues first. Also, you should likely be rate-limiting responses by session at your back-end to prevent DoS attacks. For the extra paranoid, randomly HTML-entity-encode characters of any user data supplied before echoing it back in a response, and add random padding of random length to the HEAD of all responses.

At the nginx layer, some sensible rate limits might also be an appropriate mitigation: thousands-to-millions of requests are needed to extract secret data with BREACH.

I haven't seen Google or any other large web site turn of gzip compression of HTTPS responses yet because of BREACH. If *you* can actually afford to do so, your traffic level is simply trivial. We would see approximately an 8x increase in bandwidth costs (and corresponding 8x increase in end-user response time) if we disabled GZIP for HTTPS connections.
SubjectAuthorPosted

How to turn off gzip compression for SSL traffic

howard chenAugust 17, 2013 01:00AM

Re: How to turn off gzip compression for SSL traffic

Igor SysoevAugust 17, 2013 08:46AM

Re: How to turn off gzip compression for SSL traffic

howard chenAugust 18, 2013 06:28AM

Re: How to turn off gzip compression for SSL traffic

Bob S.August 18, 2013 09:04AM

Re: How to turn off gzip compression for SSL traffic

Igor SysoevAugust 19, 2013 12:44AM

Re: How to turn off gzip compression for SSL traffic

itpp2012August 18, 2013 01:09PM

Re: How to turn off gzip compression for SSL traffic

Jonathan MatthewsAugust 18, 2013 01:16PM

Re: How to turn off gzip compression for SSL traffic

Adie NurahmadieAugust 18, 2013 01:48PM

Re: How to turn off gzip compression for SSL traffic

B.R.August 18, 2013 02:58PM

Re: How to turn off gzip compression for SSL traffic

openletterAugust 18, 2013 03:34PM

Re: How to turn off gzip compression for SSL traffic

openletterAugust 18, 2013 03:38PM

Re: How to turn off gzip compression for SSL traffic

itpp2012August 18, 2013 04:48PM

Re: How to turn off gzip compression for SSL traffic

B.R.August 18, 2013 05:14PM

Re: How to turn off gzip compression for SSL traffic

Igor SysoevAugust 19, 2013 12:44AM

Re: How to turn off gzip compression for SSL traffic

B.R.August 19, 2013 01:58AM

Re: How to turn off gzip compression for SSL traffic

Igor SysoevAugust 19, 2013 02:06AM

Re: How to turn off gzip compression for SSL traffic

B.R.August 19, 2013 11:48AM

Re: How to turn off gzip compression for SSL traffic

rmalayterAugust 20, 2013 05:12PM

Re: How to turn off gzip compression for SSL traffic

B.R.August 20, 2013 06:26PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 97
Record Number of Users: 7 on March 06, 2014
Record Number of Guests: 156 on March 20, 2014
Powered by nginx    Powered by FreeBSD    PHP Powered    Powered by Percona     ipv6 ready