There are two sorts of compression - TLS and HTTP.
It is recommended not to compress the TLS traffic (as CRIME can then be used to guess cookies etc) - compresses the whole response.
But compressing HTTP traffic is OK - unless there is some secret stored in the body of the HTML page {it only compresses the HTML of the page}
-----Original Message-----
From: Antony Stone <Antony.Stone@apache.open.source.it>
Sent: 10 October 2020 21:01
To: users@httpd.apache.org
Subject: Re: [users@httpd] To Gzip or not? [EXT]
On Saturday 10 October 2020 at 20:23:46, Tom Browder wrote:
> I've been looking at ways to speed up my web services using
> https://urldefense.proofpoint.com/v2/url?u=https-3A__webpagetest.org&d
> =DwICbA&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4o
> DX0XM7vQ&m=wVQFv3p3IiMCFYbxf3xWL1HmlN3ZkoCLaTAM8DZEBss&s=tshPsEQ7bksjr
> YsoZ14lId3gKNLPIe14r5lCkak7ujU&e= for analysis. One thing I've been
> reading about is using mod_deflate to compress certain files but keep
> seeing the warnings
Which warnings? Where?
> about using compression with https due to certain known threats.
What threats?
> In my searches so far I've not found anything saying that threat has
> been mitigated. Does anyone here use compression with TLS or have any
> current advice about the issue?
Can you point us at any document about what this "issue" is, so that we know what "threat" you're concerned about?
Antony.
--
Was ist braun, liegt ins Gras, und raucht?
Ein Kaminchen...
Please reply to the list;
please *don't* CC me.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
--
The Wellcome Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
It is recommended not to compress the TLS traffic (as CRIME can then be used to guess cookies etc) - compresses the whole response.
But compressing HTTP traffic is OK - unless there is some secret stored in the body of the HTML page {it only compresses the HTML of the page}
-----Original Message-----
From: Antony Stone <Antony.Stone@apache.open.source.it>
Sent: 10 October 2020 21:01
To: users@httpd.apache.org
Subject: Re: [users@httpd] To Gzip or not? [EXT]
On Saturday 10 October 2020 at 20:23:46, Tom Browder wrote:
> I've been looking at ways to speed up my web services using
> https://urldefense.proofpoint.com/v2/url?u=https-3A__webpagetest.org&d
> =DwICbA&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4o
> DX0XM7vQ&m=wVQFv3p3IiMCFYbxf3xWL1HmlN3ZkoCLaTAM8DZEBss&s=tshPsEQ7bksjr
> YsoZ14lId3gKNLPIe14r5lCkak7ujU&e= for analysis. One thing I've been
> reading about is using mod_deflate to compress certain files but keep
> seeing the warnings
Which warnings? Where?
> about using compression with https due to certain known threats.
What threats?
> In my searches so far I've not found anything saying that threat has
> been mitigated. Does anyone here use compression with TLS or have any
> current advice about the issue?
Can you point us at any document about what this "issue" is, so that we know what "threat" you're concerned about?
Antony.
--
Was ist braun, liegt ins Gras, und raucht?
Ein Kaminchen...
Please reply to the list;
please *don't* CC me.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
--
The Wellcome Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org