Package: nginx-extrasVersion: 1.14.2-2Severity: wishlistHello nginx maintainers, At the moment, nginx-extra package includes gzip module as one of the optional http modules. However it seems Gzip compression is vulnerable to BREACH [1] attack and the vulnerability researchers' recommendation is to disable Gzip compression. There are also discussions on stackexchange [2].
Instead of disabling compression over TLS/SSL completely, Google seems to be using a different compression scheme Brotli [3]. Would you consider replacing nginx Gzip module with Brotli? Thanks, Abi, --- [1] http://breachattack.com/#mitigations <http://breachattack.com/#mitigations> [2] https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack <https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack> [3] https://github.com/google/ngx_brotli <https://github.com/google/ngx_brotli>
