Should you compress the body of a HTTP(S) response before passing it to openssl? C++

Asked Sep 21 '22 at 17:02

Active Sep 21 '22 at 17:07

Viewed 15 times

Should you compress the body of a HTTPS response before passing it to openssl? C++

I am aware of the attacks that are made possible by compressing a HTTP(s) response as explained over here. But according to Compression in HTTP you should compress the (body of a) HTTP response.

So I am a little confused if the attacks are also possible when you merely compress the body of an HTTP(s) response, and not the headers?

asked Sep 21 '22 at 17:02

user283071

You are basically asking about BREACH attack. In short: compressing static content is fine. Compressing content which does not contain secrets is fine too. Compress dynamic content with secrets is fine as long as it does not contain content which might be controlled by an attacker observing the encrypted traffic. – Steffen Ullrich Sep 21 '22 at 17:10

Should you compress the body of a HTTP(S) response before passing it to openssl? C++

Should you compress the body of a HTTPS response before passing it to openssl? C++

0 Answers0