0

I know that there are multiple HTTP Compression tools out there.

In order to entirely prevent a site from being susceptible to BREACH, which HTTP Compression algorithm should I use?

Also, how should I go about making sure the server uses it?

(Conversation about Brotli noted but doen't really answer the question: Brotli compression for HTTPS)

JohnFF
  • 144
  • 6
  • *"Also, how should I go about making sure the server uses it?"* - that part of your question is about server configuration. It is both specific to the HTTP server you use and also off-topic here since it has nothing to do with information security. It is usually also easy to find by looking at the servers documentation or by using a search engine. – Steffen Ullrich Dec 01 '18 at 04:33
  • You say that - but I looked and could not see. But thank you for the feedback Steffen :) – JohnFF Dec 01 '18 at 15:08
  • *"...but I looked and could not see..."* - I don't know where and how you looked. But when using a search engine with phrases like [apache gzip compression](https://www.google.com/search?q=apache+gzip+compression) or [nginx gzip compression](https://www.google.com/search?q=nginx+gzip+compression) one will find lots of documentation on how to configure this. – Steffen Ullrich Dec 01 '18 at 15:42
  • Is there anything you want me to add to my answer? – forest Jan 25 '21 at 03:19

1 Answers1

3

BREACH is an issue with how compressed data is used, not what compression algorithm is in use. If you are sending sensitive data (CSRF tokens, for example) or using dynamic content, then HTTP compression may make it possible to reveal the secrets. For static or non-sensitive content, any compression technique is fine. In order to support most browsers, you should use DEFLATE or gzip.

forest
  • 64,616
  • 20
  • 206
  • 257
  • Actually both deflate and gzip are supported by all modern browsers. But deflate is not supported by most HTTP libraries as used in tools - these at most support gzip or no compression at all. And while gzip and deflate are nearly the same (different header) the standard is confusing here: what is called deflate in the standard is actually zlib (zlib header + deflate compression, compared to gzip being gzip header + deflate compression) and not raw deflate. Some browsers implement therefore both (FF,Chrome), some only zlib (IE,Edge). – Steffen Ullrich Dec 01 '18 at 04:31
  • Thank you for your detailed answer - really helpful. Please can you tell me which the best compression algorithm to use is? – JohnFF Dec 01 '18 at 15:09
  • @JohnFF In terms of compatibility, see what Steffen Ullrich wrote (use gzip). For pure text, brotli is probably good. Any of the better compression algorithms are not widely supported. – forest Dec 02 '18 at 02:37