[
https://issues.apache.org/jira/browse/TINKERPOP-2682?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Florian Hockmann closed TINKERPOP-2682.
---------------------------------------
Fix Version/s: 3.6.0
3.5.3
Resolution: Fixed
> Enable WebSocket compression in .NET by default
> -----------------------------------------------
>
> Key: TINKERPOP-2682
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2682
> Project: TinkerPop
> Issue Type: Improvement
> Components: dotnet
> Affects Versions: 3.5.1
> Reporter: Florian Hockmann
> Assignee: Florian Hockmann
> Priority: Minor
> Fix For: 3.6.0, 3.5.3
>
>
> .NET 6 added support for WebSocket compression to .NET:
> [https://devblogs.microsoft.com/dotnet/announcing-net-6/#websocket-compression]
> Users can already enable that by themselves as it has been added as a
> property {{DangerousDeflate}} to the {{ClientWebSocketOptions}} which can be
> configured via the {{webSocketConfiguration}} of the {{GremlinClient}}
> constructor in Gremlin.Net.
> Since we have enabled compression by default in Python and Java, it makes
> sense to also enable it by default in .NET. We can of course only do that for
> .NET 6 which is why we'll have to add that as an additional target framework
> to Gremlin.Net.
> The .NET 6 announcement mentions that WebSocket compression together with
> encrypted content is susceptible to attacks like CRIME and BREACH that can
> reveal the encrypted content if an attacker is able to control data that is
> sent together with the encrypted content over the same WebSocket connection.
> That is why the property to enable compression is called
> {_}Dangerous{_}Deflate and why compression can also be disabled on a
> per-message basis
> ([source|https://github.com/dotnet/runtime/issues/31088#issuecomment-804359919]).
> I suggest we can account for these possible attacks by disabling compression
> for the authentication messages we send to the server which contain
> credentials and by adding a note to the docs about this with a recommendation
> to disable compression if an application needs to send sensitive data, but
> also data controlled by (potentially untrusted) users to the server.
> Since the attacker additionally needs to be able to monitor the network
> traffic between the client and the server, I guess >99% of applications are
> not affected by this and will therefore benefit from enabling compression by
> default.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
