Bug 513625

Summary: Should we enable gzip compression on the HTTP server instances?
Product: [IoT] Kapua Reporter: Claudio Mezzasalma <claudio.mezzasalma>
Component: GeneralAssignee: Project inbox <kapua-inbox>
Status: NEW --- QA Contact:
Severity: normal    
Priority: P3 CC: alberto.codutti, contact, wayne.beaton
Version: unspecifiedKeywords: security
Target Milestone: ---   
Hardware: All   
OS: All   
Whiteboard:

Description Claudio Mezzasalma CLA 2017-03-14 05:48:36 EDT 
After merging #376 [1] and reading about BREACH attacks [2] I'd like to collect some feedback about enabling gzip compression by default on our HTTP containers. breachattack.com [3] has some resources about the attack, and some proposals to mitigate such attacks.

What do you think?

[1] https://github.com/eclipse/kapua/pull/376
[2] https://en.wikipedia.org/wiki/BREACH_%28security_exploit%29
[3] http://breachattack.com/
Comment 1 Wayne Beaton CLA 2019-05-14 14:07:58 EDT 
Any progress?

FYI, advice regarding how to handle vulnerabilities is provided by the handbook.

https://www.eclipse.org/projects/handbook/#vulnerability
Comment 2 Wayne Beaton CLA 2020-01-10 11:43:24 EST 
Can we please get a response from the project team?
Comment 3 Alberto Codutti CLA 2020-01-13 06:14:57 EST 
Hi Wayne, 

at the end we decided to not enable it for now since we didn't found any quick, easy and final solution.

The issue was discovered and fixed[1] when the project was on incubation and the first release was not yet done, so we didn't see the need of opening a CVE and follow the procedures defined by the handbook[2].

If that is fine, we can close this issue.

Regards,

- Alberto

[1] https://github.com/eclipse/kapua/commit/023a0ba18e20a27878eff9648429957ed1b9d72d
[2] https://www.eclipse.org/projects/handbook/#vulnerability