Caddy, gzip and CRIME/BREACH

Given that the attack vector for CRIME and BREACH is (specifically) compressed content under HTTP/2, wouldn’t use of gzip with Caddy present a security risk? (I’m not going to argue the merits of performance vs. safety, just asking the obvious question about security stance.)

Rodney

BREACH requires:

  1. gzip/deflate
  2. user data (POST or GET parameters)
  3. a secret

If your web application serves user data or a secret, then you should disable gzip for any web server that’s serving it. Or separate the user data and the secret. Or randomize the secrets for each request. There are server-level mitigations or application-level mitigations. You choose which is best for you.

CRIME

In 2012, only 7% of browsers supported TLS compression, and surely that number is even lower today, 4 years later. Go doesn’t support TLS compression.

Fair points, thank you very much for the clarification!

Rodney