BREACH concern: 'text/html' is always compressed

Question

BREACH concern: 'text/html' is always compressed

Closed this issue 5 years ago · 3 comments

By having text/html "always compressed" you introduce a persistent BREACH risk to your data.

It would be better if you have text/html as the 'default' option for brotli_types, but allow people to override it to exclude text/html MIMEtypes.

By forcing text/html to be compressed all the time, a compressed HTML body containing some secret information could be vulnerable to BREACH. Adjusting the defaults to allow brotli_types to be overridden to exclude text/html would help to mitigate this risk.

(NGINX upstream has gzip_types always compress text/html which is its own issue, and should probably be overrideable, yet it isn't - this is https://trac.nginx.org/nginx/ticket/1083 to some extent)

Answer 1 · 2018-10-04T15:59:55.000Z

Oh, I see - this is because the "types" are merged with ngx_http_html_default_types... What a strange decision to add a default that is impossible to turn off.
Will fix soon. Thanks.

Answer 2 · 2018-10-04T16:13:12.000Z

@eustas Yeah, this has a bug in NGINX Trac to try and unbundle the 'default' type of text/html from the "Always Compress" list. If we can override that in Brotli then the workaround that was stated there becomes even more secure (but further, we can specify compression types to NOT be text/html if we don't want it to be).

I await a nice fix :)

Answer 3 · 2019-09-03T12:56:17.000Z

Moved the issue to the upstream