You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by James Smith <js...@sanger.ac.uk> on 2020/10/10 21:12:36 UTC

RE: [users@httpd] To Gzip or not? [EXT]

There are two sorts of compression - TLS and HTTP.

It is recommended not to compress the TLS traffic (as CRIME can then be used to guess cookies etc) - compresses the whole response.
But compressing HTTP traffic is OK - unless there is some secret stored in the body of the HTML page {it only compresses the HTML of the page}


-----Original Message-----
From: Antony Stone <An...@apache.open.source.it> 
Sent: 10 October 2020 21:01
To: users@httpd.apache.org
Subject: Re: [users@httpd] To Gzip or not? [EXT]

On Saturday 10 October 2020 at 20:23:46, Tom Browder wrote:

> I've been looking at ways to speed up my web services using 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__webpagetest.org&d
> =DwICbA&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4o
> DX0XM7vQ&m=wVQFv3p3IiMCFYbxf3xWL1HmlN3ZkoCLaTAM8DZEBss&s=tshPsEQ7bksjr
> YsoZ14lId3gKNLPIe14r5lCkak7ujU&e=  for analysis. One thing I've been 
> reading about is using mod_deflate to compress certain files but keep 
> seeing the warnings

Which warnings?  Where?

> about using compression with https due to certain known threats.

What threats?

> In my searches so far I've not found anything saying that threat has 
> been mitigated. Does anyone here use compression with TLS or have any 
> current advice about the issue?

Can you point us at any document about what this "issue" is, so that we know what "threat" you're concerned about?


Antony.

-- 
Was ist braun, liegt ins Gras, und raucht?
Ein Kaminchen...

                                                   Please reply to the list;
                                                         please *don't* CC me.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE. 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] To Gzip or not? [EXT]

Posted by Daniel Ferradal <df...@apache.org>.

Can you please STOP breaking threads by adding the [EXT] thing to the
title, it is getting quite annoying.

El sáb., 10 oct. 2020 a las 23:14, James Smith (<js...@sanger.ac.uk>) escribió:
>
> There are two sorts of compression - TLS and HTTP.
>
> It is recommended not to compress the TLS traffic (as CRIME can then be used to guess cookies etc) - compresses the whole response.
> But compressing HTTP traffic is OK - unless there is some secret stored in the body of the HTML page {it only compresses the HTML of the page}
>
>
> -----Original Message-----
> From: Antony Stone <An...@apache.open.source.it>
> Sent: 10 October 2020 21:01
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] To Gzip or not? [EXT]
>
> On Saturday 10 October 2020 at 20:23:46, Tom Browder wrote:
>
> > I've been looking at ways to speed up my web services using
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__webpagetest.org&d
> > =DwICbA&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4o
> > DX0XM7vQ&m=wVQFv3p3IiMCFYbxf3xWL1HmlN3ZkoCLaTAM8DZEBss&s=tshPsEQ7bksjr
> > YsoZ14lId3gKNLPIe14r5lCkak7ujU&e=  for analysis. One thing I've been
> > reading about is using mod_deflate to compress certain files but keep
> > seeing the warnings
>
> Which warnings?  Where?
>
> > about using compression with https due to certain known threats.
>
> What threats?
>
> > In my searches so far I've not found anything saying that threat has
> > been mitigated. Does anyone here use compression with TLS or have any
> > current advice about the issue?
>
> Can you point us at any document about what this "issue" is, so that we know what "threat" you're concerned about?
>
>
> Antony.
>
> --
> Was ist braun, liegt ins Gras, und raucht?
> Ein Kaminchen...
>
>                                                    Please reply to the list;
>                                                          please *don't* CC me.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
> --
>  The Wellcome Sanger Institute is operated by Genome Research
>  Limited, a charity registered in England with number 1021457 and a
>  company registered in England with number 2742969, whose registered
>  office is 215 Euston Road, London, NW1 2BE.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


-- 
Daniel

-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org