On 06/12/2014 08:05 AM, Jacob Hoffman-Andrews wrote: > One thing I've been meaning to follow up on: The spec currently says " > The ruleset database will be served as a ZIP file." I mentioned that > Content-Encoding: gzip at the HTTP level would be simpler and offer > similar compression. Yan's objection was that this could enable the > BREACH attack. However, the BREACH attack only applies when there is > both user-controllable content and secret content returned from a given > URL. The ruleset database has neither. >
My concern wasn't compromising the confidentiality of the ruleset file (it's fairly public anyway) due to BREACH, but rather that Tor Browser users will soon have a convenient way to disable gzip by default in the browser. Assuming there is no fallback-to-uncompressed option set up on the server, this would initially prevent them from auto-updating. But it turns out this concern is probably moot, because we serve https://www.eff.org/files/https-everywhere-update-2048.rdf with content-encoding: gzip anyway. -Yan > > _______________________________________________ > HTTPS-Everywhere mailing list > [email protected] > https://lists.eff.org/mailman/listinfo/https-everywhere > -- Yan Zhu <[email protected]>, <[email protected]> Staff Technologist Electronic Frontier Foundation https://www.eff.org 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x134
signature.asc
Description: OpenPGP digital signature
_______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
