Your message dated 
with message-id 
and subject line Closing resolved/obsolete bug reports
has caused the Debian Bug report #919320,
regarding nginx-extras: Would you please consider replacing Gzip module with 
Brotli for compression?
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
919320: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919320
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: nginx-extras
Version: 1.14.2-2
Severity: wishlist


Hello nginx maintainers,

At the moment, nginx-extra package includes gzip module as one of the optional 
http modules. However it seems Gzip compression is vulnerable to BREACH [1] 
attack and the vulnerability researchers' recommendation is to disable Gzip 
compression. There are also discussions on stackexchange [2].

Instead of disabling compression over TLS/SSL completely, Google seems to be 
using a different compression scheme Brotli [3]. Would you consider replacing 
nginx Gzip module with Brotli?

Thanks,
Abi,

---
[1] http://breachattack.com/#mitigations <http://breachattack.com/#mitigations>
[2] 
https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack
 
<https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack>
[3] https://github.com/google/ngx_brotli <https://github.com/google/ngx_brotli>

--- End Message ---
--- Begin Message ---
This issue appears to be resolved, so I'm closing this bug report.

Please reopen it if the problem persists.

Best regards,
Jan

--- End Message ---

Reply via email to