RE: Question about http compression
>From: Emerson Gomes >Sent: Monday, February 21, 2022 2:46 PM >To: Tom Browder >Cc: HAProxy >Subject: Re: Question about http compression > >Hi, > >You're mixing up the concepts of TLS compression and HTTP compression. They >are different things. >Indeed TLS compression is not advised due to security concerns. > >However, this has nothing to do with HTTP compression, which is normally done >using gzip or brotli algorithms, and specified as "Content-Encoding" on the >HTTP header. Emerson, With all due respect, please read up on BREACH at the link Lukas Tribus provided in response to OP (https://breachattack.com) which attacks regular HTTP compression using techniques similar to CRIME attack against TLS compression. Unfortunately it is very much a thing and appears to be only completely mitigated by disabling HTTP compression of potentially vulnerable responses or, if this can't be determined, then all responses. Cheers, Bob
Re: Question about http compression
Hi, You're mixing up the concepts of TLS compression and HTTP compression. They are different things. Indeed TLS compression is not advised due to security concerns. However, this has nothing to do with HTTP compression, which is normally done using gzip or brotli algorithms, and specified as "Content-Encoding" on the HTTP header. HTTP compression is generally advised when you often provide highly compressible files (like HTMLs) but keep in mind that it has a CPU cost noticeable for very intense traffic sites. That's why sometimes you might want to use HAProxy to compress HTTP responses to offload the CPU cost from your backend server. In HAProxy you can use http://www.libslz.org/, which provides ultra-fast compression with the gzip algorithm. BR., Emerson Em seg., 21 de fev. de 2022 às 14:26, Tom Browder escreveu: > I'm getting ready to try 2.5 HAProxy on my system and see http comression > is recommended. > > I am running Apache 2.4.52 and have for years tried to keep its TLS > security as good as possible according to what advice I get from the Apache > docs and SSL Labs. From those sources I thought https should not use > compression because of some known exploit, so I'm not currently using it. > My sites get an A+ rating from SSL Labs testing. > > So, not being at all an expert, I plan not to use the compression > (although I've always wanted to). Perhaps I'm not as up-to-date as I > should be (this is a hobbly, but it's an important one, although I can't > spend the time on it I would like to). > > Your thoughts and advice are appreciated. > > -Tom >
Re: Question about http compression
On Mon, Feb 21, 2022 at 08:21 Lukas Tribus wrote: > Hello, > > > On Mon, 21 Feb 2022 at 14:25, Tom Browder wrote: > > > > I'm getting ready to try 2.5 HAProxy on my system > > and see http comression is recommended. > > I'm not sure we are actively encouraging to enable HTTP compression. > Where did you see this recommendation? I think I implied that because I saw no note or warning about the hazards of http compression. Thanks, Lukas. Cheers! -Tom
Re: Question about http compression
Hello, On Mon, 21 Feb 2022 at 14:25, Tom Browder wrote: > > I'm getting ready to try 2.5 HAProxy on my system > and see http comression is recommended. I'm not sure we are actively encouraging to enable HTTP compression. Where did you see this recommendation? > From those sources I thought https should not use compression > because of some known exploit, so I'm not currently using it. You are talking about BREACH [1], and I'm afraid there is no magic fix for that. The mitigations on the BREACH website apply. Lukas [1] http://www.breachattack.com/#mitigations
Question about http compression
I'm getting ready to try 2.5 HAProxy on my system and see http comression is recommended. I am running Apache 2.4.52 and have for years tried to keep its TLS security as good as possible according to what advice I get from the Apache docs and SSL Labs. From those sources I thought https should not use compression because of some known exploit, so I'm not currently using it. My sites get an A+ rating from SSL Labs testing. So, not being at all an expert, I plan not to use the compression (although I've always wanted to). Perhaps I'm not as up-to-date as I should be (this is a hobbly, but it's an important one, although I can't spend the time on it I would like to). Your thoughts and advice are appreciated. -Tom