Questions tagged [gzip]

Gzip is a software application/method used to compress data. Gzip is acronym for GNU zip. Gzip is based on DEFLATE algorithm, a combination of LZ77 a Huffman coding.

5 questions
19
votes
1 answer

Brotli compression algorithm and BREACH attack

I spent a lot of time on BREACH attack implementations. In theory, Brotli compression, like other compressions that use lzz7 family algorithms, must be vulnerable to the BREACH attack. Experiences and tests that I did on a test environment show…
18
votes
3 answers

Is gzipping content via TLS allowed?

So I have these few compression directives at http level in nginx: gzip on; gzip_http_version 1.1; gzip_vary on; I read that this should be avoided because of CRIME/BREACH attack, is this correct?
Florian Schneider
  • 1,073
  • 2
  • 9
  • 11
13
votes
1 answer

To avoid BREACH, can we use gzip on non-token responses?

I work on a site that has a web interface an an API. I'm trying to determine if we can safely use gzip, or if that will open us to BREACH. The site says: If you have an HTTP response body that meets all the following conditions, you might be…
Nathan Long
  • 2,624
  • 4
  • 21
  • 28
4
votes
1 answer

Are there valid reasons for compressed files (zip, gzip, etc.) to spoof file size?

Zip files, GZip files, and likely others, include information about the contained file, including the uncompressed size of the file. However, when extracting these files the number is meaningless as the actual data can be much larger (eg: reported…
Tarka
  • 141
  • 3
3
votes
3 answers

is g-zipping assets a security concern?

I recently noticed that the assets sent to clients aren't gzipped or minified on either my companies intranet or its public facing website. I brought this to the attention of the networking department (who maintain the server) and asked if they…
Luke
  • 187
  • 5