Last active
May 2, 2021 13:58
-
-
Save nbeguier/943a7b14eece23f21fa1fdf99934ab0e to your computer and use it in GitHub Desktop.
[DEPRECATED] Nginx : BREACH protection
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Disable gzip compression | |
gzip off; |
Hello !
You have probably right. For the first point, finding information about BREACH after 2013 is complicated. I assumed TLS1.1 has addressed the issue. If it's not the case, I may have wrong.
About the second point, indeed, it's a lazy method. Disabling gzip compression fix the problem, but it's the worst trade-off. Some alternative are disabling only where secrets are replyed or randomize the length of the response.
I have chosen to deprecate it because obviously nobody seriously disable gzip in production and address this issue. Even ssllabs ignore it.
Have a nice day, and thanks for your reply, very interesting
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Just randomly found this. I have several questions: