Florian Hockmann created TINKERPOP-2682:
-------------------------------------------
Summary: Enable WebSocket compression in .NET by default
Key: TINKERPOP-2682
URL: https://issues.apache.org/jira/browse/TINKERPOP-2682
Project: TinkerPop
Issue Type: Improvement
Components: dotnet
Affects Versions: 3.5.1
Reporter: Florian Hockmann
.NET 6 added support for WebSocket compression to .NET:
[https://devblogs.microsoft.com/dotnet/announcing-net-6/#websocket-compression]
Users can already enable that by themselves as it has been added as a property
{{DangerousDeflate}} to the {{ClientWebSocketOptions}} which can be configured
via the {{webSocketConfiguration}} of the {{GremlinClient}} constructor in
Gremlin.Net.
Since we have enabled compression by default in Python and Java, it makes sense
to also enable it by default in .NET. We can of course only do that for .NET 6
which is why we'll have to add that as an additional target framework to
Gremlin.Net.
The .NET 6 announcement mentions that WebSocket compression together with
encrypted content is susceptible to attacks like CRIME and BREACH that can
reveal the encrypted content if an attacker is able to control data that is
sent together with the encrypted content over the same WebSocket connection.
That is why the property to enable compression is called {_}Dangerous{_}Deflate
and why compression can also be disabled on a per-message basis
([source|https://github.com/dotnet/runtime/issues/31088#issuecomment-804359919]).
I suggest we can account for these possible attacks by disabling compression
for the authentication messages we send to the server which contain credentials
and by adding a note to the docs about this with a recommendation to disable
compression if an application needs to send sensitive data, but also data
controlled by (potentially untrusted) users to the server.
Since the attacker additionally needs to be able to monitor the network traffic
between the client and the server, I guess >99% of applications are not
affected by this and will therefore benefit from enabling compression by
default.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
