FYI if I remember right BREACH is a risk in Brotli as well. Also Brotli has a few code level concerns that the Ubuntu Security Team saw in a cursory review that could lead to crashes which made it judged 'not suitable for inclusion'.
Just wanted to share this info. On Mon, Jan 14, 2019, 17:46 Abigaile Johannesburg <a...@tuta.io wrote: > Package: nginx-extras > Version: 1.14.2-2 > Severity: wishlist > > > Hello nginx maintainers, > > At the moment, nginx-extra package includes gzip module as one of the > optional http modules. However it seems Gzip compression is vulnerable to > BREACH [1] attack and the vulnerability researchers' recommendation is to > disable Gzip compression. There are also discussions on stackexchange [2]. > > Instead of disabling compression over TLS/SSL completely, Google seems to > be using a different compression scheme Brotli [3]. Would you consider > replacing nginx Gzip module with Brotli? > > Thanks, > Abi, > > --- > [1] http://breachattack.com/#mitigations > [2] > https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack > [3] https://github.com/google/ngx_brotli >
