Microsoft Exchange / OWA (Outlook Web Access) allows for three different types of compression (link for Ex2010)
Compression setting Description
High Compresses both static and dynamic pages.
Low Compresses only static pages.
None No compression is used.
Given the known attacks against HTTP and SSL (namely BEAST, CRIME, and BREACH, is it safe to use a compression setting of "Low", wherein only static pages are compressed?
The recent compression-related attacks all work on the same principle: some chunk of bytes is compressed, containing both a data element that the attacker chooses, and a data element that the attacker wants to uncover. The resulting compressed length is used as a binary oracle in successive "guesses" from the attacker, who progressively rebuilds the secret value, one byte at a time.
This cannot work with static pages, because static pages are static. By definition, this means that their contents does not change often (i.e. never except by explicit action of the site administrator), and, in particular, the attacker does not get to put his own data in them.
It can be pointed out that compression is a matter of performance and, as such, is not warranted until performance problems have been duly noticed. I suggest that you first deactivate compression altogether, and see if this works well for you. If, and only if, you notice excessive network consumption or latency, does it become relevant to try higher compression levels.
