IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [compression]

the act of compression reduces the size of the file(s) being compressed by encoding information and eliminating statistical redundancy.

Compression reduces the size of the file(s) being compressed by encoding information and eliminating statistical redundancy.

Related reading

75 questions
108
votes
5 answers

Can simply decompressing a JPEG image trigger an exploit?

The novel Daemon is frequently praised for being realistic in its portrayal rather than just mashing buzzwords. However, this struck me as unrealistic: Gragg's e-mail contained a poisoned JPEG of the brokerage logo. JPEGs were compressed image…
JDługosz
  • 1,138
  • 2
  • 7
  • 12
53
votes
5 answers

Encryption and compression of Data

If we want both encryption and compression during transmission then what will be the most preferable order. Encrypt then compress Compress then encrypt
Ali Ahmad
  • 4,784
  • 8
  • 35
  • 61
45
votes
1 answer

Does WinRAR leave traces of temporarily extracted files?

If I have an encrypted RAR file which will only open using a password, and I opened a file directly from within WinRAR by double clicking the file inside WinRAR, I assume that WinRAR will create a temporary version somewhere in the drive (temp…
Nean Der Thal
  • 587
  • 2
  • 5
  • 12
43
votes
4 answers

BREACH - a new attack against HTTP. What can be done?

Following on from CRIME, now we have BREACH to be presented at Black Hat in Las Vegas Thursday (today). From the linked article, it suggests that this attack against compression will not be as simple to turn off as was done to deter CRIME. What can…
JoltColaOfEvil
  • 850
  • 1
  • 7
  • 13
18
votes
8 answers

Are 7-Zip password-protected split archives safe against hackers when they are password-protected a couple of times?

Imagine I wish to upload my sensitive personal information (photos, document scans, list of passwords, email backups, credit card information, etc.) on Google Drive (or any other cloud service). I want to make sure this entire bunch of data is as…
Neli
  • 229
  • 1
  • 2
  • 6
18
votes
3 answers

Is gzipping content via TLS allowed?

So I have these few compression directives at http level in nginx: gzip on; gzip_http_version 1.1; gzip_vary on; I read that this should be avoided because of CRIME/BREACH attack, is this correct?
Florian Schneider
  • 1,073
  • 2
  • 9
  • 11
14
votes
4 answers

Is it safe for GPG to compress all messages prior to encryption by default?

By default, GPG compresses text during encryption. Additionally, RFC 4880 says: 2.3. Compression OpenPGP implementations SHOULD compress the message after applying the signature but before encryption. We know that encryption does not attempt to…
Tom Marthenal
  • 3,272
  • 4
  • 22
  • 26
14
votes
1 answer

JPEG artifacts leaking information about redacted contents

It was mentioned that JPEG should not be used between image creation and redaction of sensitive contents, because compression artifacts around the redacted area may leak information. Given how this lossy format works, this makes sense. Is there any…
forest
  • 64,616
  • 20
  • 206
  • 257
12
votes
1 answer

Brotli compression for HTTPS

It appears that Chrome, Firefox, and soon Edge, support the new Brotli compression algorithm over HTTPS only. I can't find anything on whether this new compression algorithm is susceptible to the BREACH attack. The only relevant thing that I found…
rink.attendant.6
  • 2,227
  • 4
  • 22
  • 33
10
votes
2 answers

Zlib DEFLATE decompression bomb

Can you give me an example of a short data string that, when decompressed using Zlib's DEFLATE method, expands to something much much longer? More precisely: what is the nastiest decompression bomb that one can build for Zlib's DEFLATE? The figure…
D.W.
  • 98,420
  • 30
  • 267
  • 572
10
votes
1 answer

Whats the best custom compression method to use when I have SSL?

Suppose I have an application which does encryption using SSL and provided you cannot control what cipher suite is being negotiated, and assuming that I have some custom compression over the data before the encryption takes place. What would be the…
Cookies
  • 203
  • 2
  • 7
10
votes
1 answer

Does it weaken the encryption of SSH to use compression?

When using compression on openssh (a la ssh -C ...), does this reduce entropy and make the tunnel traffic more vulnerable to cryptanalysis? Is compression an option I should disable server-side for this or any other reason? I have a vague…
TopherIsSwell
  • 371
  • 1
  • 14
9
votes
4 answers

With BREACH attack, is session-based CSRF token still secure?

This is something I haven't been able wrap my head around, if BREACH allow leaking of information, do we have to mask or generate CSRF token in a time-based or per-request fashion to make it more secure? As far as I know, session-based CSRF token…
bitinn
  • 213
  • 2
  • 5
8
votes
3 answers

Encrypted password inside compressed archive

File compression utilities like Winrar or ZIP or 7zip encrypt the password and store it inside the archive. How safe is that? I mean you are giving away the archive with the password inside,it's not like authenticating against a web site where the…
microwth
  • 2,101
  • 2
  • 14
  • 19
7
votes
1 answer

Does encrypting a file make it larger?

I encrypted a Word document using Winrar by setting a password. Surprisingly the archive was larger than the original file (631 vs 614KB). I then tested to see what would happen if encryption wasn't used and the result was a 612KB archive. Why is…
Celeritas
  • 10,039
  • 22
  • 77
  • 144
1
2 3 4 5