Summary: | Enable response compression by default | ||
---|---|---|---|
Product: | Tomcat 10 | Reporter: | Craig <candrews> |
Component: | Connectors | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED WONTFIX | ||
Severity: | enhancement | CC: | candrews |
Priority: | P2 | ||
Version: | unspecified | ||
Target Milestone: | ------ | ||
Hardware: | PC | ||
OS: | Linux |
Description
Craig
2020-05-13 14:59:51 UTC
I'd likely vote no to this proposal. It is not a bug, anyway. (In reply to Remy Maucherat from comment #1) > I'd likely vote no to this proposal. For posterity, why not? >It is not a bug, anyway. I filed it as an "enhancement" not a bug - was that not the right thing? If not, I apologize! (In reply to Craig from comment #2) > (In reply to Remy Maucherat from comment #1) > > I'd likely vote no to this proposal. > > For posterity, why not? CRIME, BREACH. I'm in favor of HTTP compression for static files (e.g. CSS, javascript, maybe SVG), but not for dynamically-generated content. >
> CRIME, BREACH.
>
CRIME is a vulnerability that applies to TLS compression - I'm not suggesting here that TLS compression be used (it was actually removed in TLS 1.3). So I don't believe CRIME is relevant.
BREACH is relevant... There are mitigations (such as SameSite cookies), but there's no guarantee that applications running Tomcat have implemented them. So I see your point :)
Roes Tomcat have any mitigations for BREACH in place today? It seems Tomcat doesn't do any kind of random response padding (such as with empty response chunks or randomly sized response chunking).
I don't think BEAST is still relevant, see https://blog.qualys.com/ssllabs/2013/09/10/is-beast-still-a-threat for a details explanation. So I still suggest that Tomcat change the default to enable HTTP response compression. I have no strong view either way (although I am open to being persuaded one way or the other). I've asked the user community for their views. There wasn't much community feedback, but the feedback that there was was that it would be best to leave the compression setting as is. Reasons mentioned included: - interaction with some clients (still!) - behaviour behind a reverse proxies generally - interaction with CDNs specifically I am therefore resolving this as WONTFIX. |