#919320 nginx-extras: Would you please consider replacing Gzip module with Brotli for compression? #919320
- Package:
- nginx-extras
- Source:
- nginx
- Description:
- nginx web/proxy server (extended version)
- Submitter:
- Abigaile Johannesburg
- Date:
- 2022-02-10 01:45:03 UTC
- Severity:
- wishlist
Hello nginx maintainers, At the moment, nginx-extra package includes gzip module as one of the optional http modules. However it seems Gzip compression is vulnerable to BREACH [1] attack and the vulnerability researchers' recommendation is to disable Gzip compression. There are also discussions on stackexchange [2]. Instead of disabling compression over TLS/SSL completely, Google seems to be using a different compression scheme Brotli [3]. Would you consider replacing nginx Gzip module with Brotli? Thanks, Abi, --- [1] http://breachattack.com/#mitigations <http://breachattack.com/#mitigations> [2] https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack <https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack> [3] https://github.com/google/ngx_brotli <https://github.com/google/ngx_brotli>
FYI if I remember right BREACH is a risk in Brotli as well. Also Brotli has a few code level concerns that the Ubuntu Security Team saw in a cursory review that could lead to crashes which made it judged 'not suitable for inclusion'. Just wanted to share this info.
FYI if I remember right BREACH is a risk in Brotli as well. Also Brotli has a few code level concerns that the Ubuntu Security Team saw in a cursory review that could lead to crashes which made it judged 'not suitable for inclusion'. Just wanted to share this info.
Then how about keeping Gzip and include length_hiding module in nginx-extra instead? https://github.com/nulab/nginx-length-hiding-filter-module <https://github.com/nulab/nginx-length-hiding-filter-module> Or we should not use any compression at all? Thanks, Abi Jan 14, 2019, 11:05 PM by teward@dark-net.net:
Then how about keeping Gzip and include length_hiding module in nginx-extra instead? https://github.com/nulab/nginx-length-hiding-filter-module <https://github.com/nulab/nginx-length-hiding-filter-module> Or we should not use any compression at all? Thanks, Abi Jan 14, 2019, 11:05 PM by teward@dark-net.net:
Just to mention https://github.com/google/ngx_brotli has been forked then merged back and revived. The current 1.0.0rc seems to be working. Jérémy
Notes: rejected downstream in Ubuntu for Security concerns (BREACH, etc.)Sent from my Sprint Samsung Galaxy Note10+. -------- Original message --------From: Jérémy Lal <kapouer@melix.org> Date: 6/30/20 15:36 (GMT-05:00) To: Debian Bug Tracking System <919320@bugs.debian.org> Subject: Bug#919320: nginx-extras: Would you please consider replacing Gzip module with Brotli for compression? Package: nginx-extrasVersion: 1.18.0-3Followup-For: Bug #919320Just to mentionhttps://github.com/google/ngx_brotlihas been forked then merged back and revived.The current 1.0.0rc seems to be working.Jérémy-- System Information:Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing')Architecture: amd64 (x86_64)Kernel: Linux 5.7.0-1-amd64 (SMP w/4 CPU cores)Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULELocale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8)Shell: /bin/sh linked to /usr/bin/dashInit: systemd (via /run/systemd/system)LSM: AppArmor: enabledVersions of packages nginx-extras depends on:ii iproute2 5.7.0-1ii libc6 2.30-8ii libcrypt1 1:4.4.16-1pn libnginx-mod-http-auth-pam <none>pn libnginx-mod-http-cache-purge <none>pn libnginx-mod-http-dav-ext <none>ii libnginx-mod-http-echo 1.18.0-a3pn libnginx-mod-http-fancyindex <none>pn libnginx-mod-http-geoip <none>pn libnginx-mod-http-geoip2 <none>ii libnginx-mod-http-headers-more-filter 1.18.0-a3pn libnginx-mod-http-image-filter <none>ii libnginx-mod-http-lua 1.18.0-a3pn libnginx-mod-http-perl <none>pn libnginx-mod-http-subs-filter <none>pn libnginx-mod-http-uploadprogress <none>pn libnginx-mod-http-upstream-fair <none>pn libnginx-mod-http-xslt-filter <none>pn libnginx-mod-mail <none>pn libnginx-mod-nchan <none>pn libnginx-mod-stream <none>pn libnginx-mod-stream-geoip <none>pn libnginx-mod-stream-geoip2 <none>ii libpcre3 2:8.39-13ii libssl1.1 1.1.1g-1ii nginx-common 1.18.0-a3ii zlib1g 1:1.2.11.dfsg-2nginx-extras recommends no packages.Versions of packages nginx-extras suggests:ii nginx-doc 1.18.0-a3
On Tue, 30 Jun 2020 15:47:06 -0400 Thomas Ward <teward@thomas-ward.net> wrote: > Notes: rejected downstream in Ubuntu for Security concerns (BREACH, etc.) OK, but having brotli_static can be really useful for pre-compressed assets. And for now, there is no solution in the packaged version :/ Adrien
-- T