Community
Participate
Working Groups
After merging #376 [1] and reading about BREACH attacks [2] I'd like to collect some feedback about enabling gzip compression by default on our HTTP containers. breachattack.com [3] has some resources about the attack, and some proposals to mitigate such attacks. What do you think? [1] https://github.com/eclipse/kapua/pull/376 [2] https://en.wikipedia.org/wiki/BREACH_%28security_exploit%29 [3] http://breachattack.com/
Any progress? FYI, advice regarding how to handle vulnerabilities is provided by the handbook. https://www.eclipse.org/projects/handbook/#vulnerability
Can we please get a response from the project team?
Hi Wayne, at the end we decided to not enable it for now since we didn't found any quick, easy and final solution. The issue was discovered and fixed[1] when the project was on incubation and the first release was not yet done, so we didn't see the need of opening a CVE and follow the procedures defined by the handbook[2]. If that is fine, we can close this issue. Regards, - Alberto [1] https://github.com/eclipse/kapua/commit/023a0ba18e20a27878eff9648429957ed1b9d72d [2] https://www.eclipse.org/projects/handbook/#vulnerability