How do I disable HTTP-level compression?

6

1

BREACH, a new attack on SSL that targets HTTP compression, has recently been publicly announced. The emerging advice for how to defend against BREACH seems to be: turn off HTTP compression.

So, how do I turn off HTTP compression? What changes do I need to make to my Apache configuration? Do I need to make any changes to browsers, too?

(While I'm here, are there any other resources suggesting what changes should be made on other web servers, like Microsoft IIS?)

D.W.

Posted 2013-08-02T18:48:17.803

Reputation: 1 269

Answers

6

Apache compression is handled by mod_deflate. Just don't load or enable the module and Apache won't apply HTTP compression. Other compression (such as done within PHP) may be a bit more complicated, but BREACH deals specificly with mod_deflate-style compression.

There is also mod_gzip, which is much less popular.

tylerl

Posted 2013-08-02T18:48:17.803

Reputation: 2 064

2Don't just switch to gzip; you can be sure this attack will be adapted quickly enough. – Michael Hampton – 2013-08-03T16:18:29.457

2@MichaelHampton The point wasn't switch to mod_gzip, but rather also disable mod_gzip. – tylerl – 2013-08-03T18:59:31.797

Note that if you serve both secure and non-secure content (whether this is a good practice is a different discussion, but I digress), this will disable compression for all content, which may not be what you want. – Moshe Katz – 2013-08-08T00:38:33.880

Asked: 2013-08-02T18:48:17.803

Viewed: 3 102 times

Active: 2013-09-14T09:47:40.917