Florian Hockmann created TINKERPOP-2700:
-------------------------------------------
Summary: WebSocket compression may lead to attacks (CRIME / BREACH)
Key: TINKERPOP-2700
URL: https://issues.apache.org/jira/browse/TINKERPOP-2700
Project: TinkerPop
Issue Type: Improvement
Components: driver, python
Affects Versions: 3.5.2
Reporter: Florian Hockmann
As noted in TINKERPOP-2682, WS compression can make an application vulnerable
to attacks. That is why it should probably be disabled if an application sends
sensitive data as well as data that could be controlled by a potentially
untrusted user.
So, we should make it possible for users to disable compression and inform
about this problematic in our docs.
We can optionally also disable compression ourselves for messages that contain
an authentication response (that's how it's implemented right now for .NET in
the PR for TINKERPOP-2682).
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
