You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2020/05/13 14:59:51 UTC

[Bug 64431] New: Enable response compression by default

https://bz.apache.org/bugzilla/show_bug.cgi?id=64431

            Bug ID: 64431
           Summary: Enable response compression by default
           Product: Tomcat 10
           Version: unspecified
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
          Assignee: dev@tomcat.apache.org
          Reporter: candrews@integralblue.com
  Target Milestone: ------

In Tomcat 10, I believe that compression should be enabled by default for the
HTTP connector. In other words, change the default value of
Connector#compression from "off" to "on" as documented at:
https://tomcat.apache.org/tomcat-10.0-doc/config/http.html

I don't believe that there's any (significant) downside to enabling compression
by default, and I believe doing so aligns with the best experience for Tomcat's
users. Years ago, the extra CPU consumption of compression may have been a
concern, but I think the time for that worry has passed - the reduced network
transfer is far more important for the almost all situations. The default
values of "compressionMinSize", "compressibleMimeType", and
"noCompressionUserAgents" ensure that compressing is done in a useful, safe
way.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 64431] Enable response compression by default

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64431

--- Comment #6 from Mark Thomas <ma...@apache.org> ---
I have no strong view either way (although I am open to being persuaded one way
or the other). I've asked the user community for their views.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 64431] Enable response compression by default

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64431

--- Comment #2 from Craig <ca...@integralblue.com> ---
(In reply to Remy Maucherat from comment #1)
> I'd likely vote no to this proposal.

For posterity, why not?

>It is not a bug, anyway.

I filed it as an "enhancement" not a bug - was that not the right thing? If
not, I apologize!

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 64431] Enable response compression by default

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64431

--- Comment #4 from Craig <ca...@integralblue.com> ---
> 
> CRIME, BREACH.
> 
CRIME is a vulnerability that applies to TLS compression - I'm not suggesting
here that TLS compression be used (it was actually removed in TLS 1.3). So I
don't believe CRIME is relevant.

BREACH is relevant... There are mitigations (such as SameSite cookies), but
there's no guarantee that applications running Tomcat have implemented them. So
I see your point :)

Roes Tomcat have any mitigations for BREACH in place today? It seems Tomcat
doesn't do any kind of random response padding (such as with empty response
chunks or randomly sized response chunking).

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 64431] Enable response compression by default

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64431

Craig <ca...@integralblue.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |candrews@integralblue.com

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 64431] Enable response compression by default

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64431

--- Comment #5 from Craig <ca...@integralblue.com> ---
I don't think BEAST is still relevant, see
https://blog.qualys.com/ssllabs/2013/09/10/is-beast-still-a-threat for a
details explanation.

So I still suggest that Tomcat change the default to enable HTTP response
compression.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 64431] Enable response compression by default

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64431

--- Comment #3 from Christopher Schultz <ch...@christopherschultz.net> ---
(In reply to Craig from comment #2)
> (In reply to Remy Maucherat from comment #1)
> > I'd likely vote no to this proposal.
> 
> For posterity, why not?

CRIME, BREACH.

I'm in favor of HTTP compression for static files (e.g. CSS, javascript, maybe
SVG), but not for dynamically-generated content.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 64431] Enable response compression by default

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64431

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WONTFIX
             Status|NEW                         |RESOLVED

--- Comment #7 from Mark Thomas <ma...@apache.org> ---
There wasn't much community feedback, but the feedback that there was was that
it would be best to leave the compression setting as is. Reasons mentioned
included:
- interaction with some clients (still!)
- behaviour behind a reverse proxies generally
- interaction with CDNs specifically

I am therefore resolving this as WONTFIX.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 64431] Enable response compression by default

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64431

Remy Maucherat <re...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |enhancement

--- Comment #1 from Remy Maucherat <re...@apache.org> ---
I'd likely vote no to this proposal. It is not a bug, anyway.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org