#919320 nginx-extras: Would you please consider replacing Gzip module with Brotli for compression?

Package:
nginx-extras
Source:
nginx
Description:
nginx web/proxy server (extended version)
Submitter:
Abigaile Johannesburg
Date:
2022-02-10 01:45:03 UTC
Severity:
wishlist
#919320#5
Date:
2019-01-14 22:21:04 UTC
From:
To:
Hello nginx maintainers,

At the moment, nginx-extra package includes gzip module as one of the optional http modules. However it seems Gzip compression is vulnerable to BREACH [1] attack and the vulnerability researchers' recommendation is to disable Gzip compression. There are also discussions on stackexchange [2].

Instead of disabling compression over TLS/SSL completely, Google seems to be using a different compression scheme Brotli [3]. Would you consider replacing nginx Gzip module with Brotli?

Thanks,
Abi,
---
[1] http://breachattack.com/#mitigations <http://breachattack.com/#mitigations>
[2] https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack <https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack>
[3] https://github.com/google/ngx_brotli <https://github.com/google/ngx_brotli>

#919320#10
Date:
2019-01-14 23:05:47 UTC
From:
To:
FYI if I remember right BREACH is a risk in Brotli as well.

Also Brotli has a few code level concerns that the Ubuntu Security Team saw
in a cursory review that could lead to crashes which made it judged 'not
suitable for inclusion'.

Just wanted to share this info.

#919320#15
Date:
2019-01-14 23:05:47 UTC
From:
To:
FYI if I remember right BREACH is a risk in Brotli as well.

Also Brotli has a few code level concerns that the Ubuntu Security Team saw
in a cursory review that could lead to crashes which made it judged 'not
suitable for inclusion'.

Just wanted to share this info.

#919320#20
Date:
2019-01-14 23:34:01 UTC
From:
To:
Then how about keeping Gzip and include length_hiding module in nginx-extra instead?

https://github.com/nulab/nginx-length-hiding-filter-module <https://github.com/nulab/nginx-length-hiding-filter-module>

Or we should not use any compression at all?

Thanks,
Abi

Jan 14, 2019, 11:05 PM by teward@dark-net.net:

#919320#25
Date:
2019-01-14 23:34:01 UTC
From:
To:
Then how about keeping Gzip and include length_hiding module in nginx-extra instead?

https://github.com/nulab/nginx-length-hiding-filter-module <https://github.com/nulab/nginx-length-hiding-filter-module>

Or we should not use any compression at all?

Thanks,
Abi

Jan 14, 2019, 11:05 PM by teward@dark-net.net:

#919320#30
Date:
2020-03-12 20:46:45 UTC
From:
To:

#919320#35
Date:
2020-06-30 19:33:58 UTC
From:
To:
Just to mention
https://github.com/google/ngx_brotli
has been forked then merged back and revived.
The current 1.0.0rc seems to be working.

Jérémy

#919320#40
Date:
2020-06-30 19:47:06 UTC
From:
To:
Notes: rejected downstream in Ubuntu for Security concerns (BREACH, etc.)Sent from my Sprint Samsung Galaxy Note10+.
-------- Original message --------From: Jérémy Lal <kapouer@melix.org> Date: 6/30/20  15:36  (GMT-05:00) To: Debian Bug Tracking System <919320@bugs.debian.org> Subject: Bug#919320: nginx-extras: Would you please consider replacing Gzip module with Brotli for compression? Package: nginx-extrasVersion: 1.18.0-3Followup-For: Bug #919320Just to mentionhttps://github.com/google/ngx_brotlihas been forked then merged back and revived.The current 1.0.0rc seems to be working.Jérémy-- System Information:Debian Release: bullseye/sid  APT prefers unstable  APT policy: (500, 'unstable'), (500, 'testing')Architecture: amd64 (x86_64)Kernel: Linux 5.7.0-1-amd64 (SMP w/4 CPU cores)Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULELocale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8)Shell: /bin/sh linked to /usr/bin/dashInit: systemd (via /run/systemd/system)LSM: AppArmor: enabledVersions of packages nginx-extras depends on:ii  iproute2                               5.7.0-1ii  libc6                                  2.30-8ii  libcrypt1                              1:4.4.16-1pn  libnginx-mod-http-auth-pam             <none>pn  libnginx-mod-http-cache-purge          <none>pn  libnginx-mod-http-dav-ext              <none>ii  libnginx-mod-http-echo                 1.18.0-a3pn  libnginx-mod-http-fancyindex           <none>pn  libnginx-mod-http-geoip                <none>pn  libnginx-mod-http-geoip2               <none>ii  libnginx-mod-http-headers-more-filter  1.18.0-a3pn  libnginx-mod-http-image-filter         <none>ii  libnginx-mod-http-lua                  1.18.0-a3pn  libnginx-mod-http-perl                 <none>pn  libnginx-mod-http-subs-filter          <none>pn  libnginx-mod-http-uploadprogress       <none>pn  libnginx-mod-http-upstream-fair        <none>pn  libnginx-mod-http-xslt-filter          <none>pn  libnginx-mod-mail                      <none>pn  libnginx-mod-nchan                     <none>pn  libnginx-mod-stream                    <none>pn  libnginx-mod-stream-geoip              <none>pn  libnginx-mod-stream-geoip2             <none>ii  libpcre3                               2:8.39-13ii  libssl1.1                              1.1.1g-1ii  nginx-common                           1.18.0-a3ii  zlib1g                                 1:1.2.11.dfsg-2nginx-extras recommends no packages.Versions of packages nginx-extras suggests:ii  nginx-doc  1.18.0-a3

#919320#45
Date:
2021-01-23 18:43:56 UTC
From:
To:
On Tue, 30 Jun 2020 15:47:06 -0400 Thomas Ward <teward@thomas-ward.net>  wrote:

 > Notes: rejected downstream in Ubuntu for Security concerns (BREACH, etc.)

OK, but having brotli_static can be really useful for pre-compressed
assets. And for now, there is no solution in the packaged version :/

Adrien

#919320#50
Date:
2022-02-10 01:37:08 UTC
From:
To:
-- 
T