[
https://issues.apache.org/jira/browse/WSS-386?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13259292#comment-13259292
]
Anli Shundi commented on WSS-386:
---------------------------------
For decompression bombs have a configurable maximum size, some default value
which can't be perfect for everybody and an appropriate error message.
Note that this doesn't solve
http://www.w3.org/2008/xmlsec/papers/xmlEncCountermeasuresW3C.pdf
> Introduce proprietary Compress-Transformation for Encryption / Decryption
> -------------------------------------------------------------------------
>
> Key: WSS-386
> URL: https://issues.apache.org/jira/browse/WSS-386
> Project: WSS4J
> Issue Type: Sub-task
> Reporter: Marc Giger
> Assignee: Marc Giger
> Priority: Minor
> Fix For: 2.0
>
>
> Compressing encrypted content (as usually done on transport layer) is not
> very efficient but plain XML is.
> Numbers:
> soap-doc-encrypted-not-compressed.xml = ~19M
> soap-doc-compressed-on-transport.gz = ~ 15M
> soap-doc-compressed-before-xml-encryption.xml = ~1.1M
> The advantages are:
> - Factor n less data on the wire
> - Faster processing on both side because much less data must be
> encrypted/decrypted (depends on encryption/compression algorithm)
> Disadvantages:
> - Proprietary
> - Introduces new attack-vector and will be disabled by default for WSS with
> the introduction of secure-processing
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
