> My concern wasn't compromising the confidentiality of the ruleset
file (it's fairly public anyway) due to BREACH, but rather that Tor
Browser users will soon have a convenient way to disable gzip by default
in the browser. Assuming there is no fallback-to-uncompressed option set
up on the server, this would initially prevent them from auto-updating.
Ah, got it. I'm guessing the way this would work is that Tor Browser
would choose not to send Accept-Encoding: gzip as part of its HTTP
requests. Compliant servers would then never send back gzip-encoded
content. For us, this would mean that updates sent to Tor Browser users
would consume more bandwidth (for us) and take more time (for them), but
it wouldn't be fatal.
I think let's punt on specific workarounds for that until Tor definitely
decides whether or not to disable compression. Sentiment on the thread
you linked seems mixed.
_______________________________________________
HTTPS-Everywhere mailing list
[email protected]
https://lists.eff.org/mailman/listinfo/https-everywhere
