>From: Emerson Gomes <[email protected]> >Sent: Monday, February 21, 2022 2:46 PM >To: Tom Browder <[email protected]> >Cc: HAProxy <[email protected]> >Subject: Re: Question about http compression > >Hi, > >You're mixing up the concepts of TLS compression and HTTP compression. They >are different things. >Indeed TLS compression is not advised due to security concerns. > >However, this has nothing to do with HTTP compression, which is normally done >using gzip or brotli algorithms, and specified as "Content-Encoding" on the >HTTP header.
Emerson, With all due respect, please read up on BREACH at the link Lukas Tribus provided in response to OP (https://breachattack.com) which attacks regular HTTP compression using techniques similar to CRIME attack against TLS compression. Unfortunately it is very much a thing and appears to be only completely mitigated by disabling HTTP compression of potentially vulnerable responses or, if this can't be determined, then all responses. Cheers, Bob
