On Thu, Oct 19, 2023 at 12:36 AM alienmega via nginx <nginx@nginx.org> wrote:
>
> Thank you for the information. I didnt notice I was lookgin at the wrong place. It turns out that the culprit is cloudflare. If I dont use it, I can see the gzip going on and off(as expected), but as soo as I use cloudflare, it overwrites that response. Now I need to check on cloudflare if there is anyway to turn it off.
One comment about 3rd parties, like Cloudfare... Remember, the cloud
is just someone else's machine. If Cloudfare is supporting protocols
like SDPY, then compression is baked into the protocol. You cannot
disable compression in this case. So compression may be available and
used on their web servers whether you want it or not.
An easier way to avoid CRIME and BREACh may be to use TLS v1.2 and
above with AEAD ciphers modes like CCM or GCM since CRIME and BREACH
were timing attacks on cipher modes like CBC. Stream ciphers should
avoid the problem, too, like TLS v1.3's ChaCha20-Poly1305.
Jeff
_______________________________________________
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx