nbeguier/nginx.conf

Last active May 2, 2021 13:58

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/nbeguier/943a7b14eece23f21fa1fdf99934ab0e.js"></script>
Save nbeguier/943a7b14eece23f21fa1fdf99934ab0e to your computer and use it in GitHub Desktop.

Download ZIP

[DEPRECATED] Nginx : BREACH protection

Raw

	# Disable gzip compression
	gzip off;

khokm commented May 2, 2021 •

edited

Just randomly found this. I have several questions:

Why is it deprecated? Isn't BREACH attack still actual in 2021?
If it's actual, why disable gzip for everything? Static resources, that everyone can have access to doesn't need any authentication data, so, we can gzip them (and disable gzip only for php responces, proxy_pass locations etc).

Author

nbeguier commented May 2, 2021

Hello !
You have probably right. For the first point, finding information about BREACH after 2013 is complicated. I assumed TLS1.1 has addressed the issue. If it's not the case, I may have wrong.
About the second point, indeed, it's a lazy method. Disabling gzip compression fix the problem, but it's the worst trade-off. Some alternative are disabling only where secrets are replyed or randomize the length of the response.

I have chosen to deprecate it because obviously nobody seriously disable gzip in production and address this issue. Even ssllabs ignore it.

Have a nice day, and thanks for your reply, very interesting

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment