Revision as of 13:50, 18 April 2020 edit Artoria2e5 (talk \| contribs) Extended confirmed users, IP block exemptions 38,965 edits →Content-Encoding tokens ← Previous edit		Revision as of 13:56, 18 April 2020 edit undo Artoria2e5 (talk \| contribs) Extended confirmed users, IP block exemptions 38,965 edits →Security implications Next edit →
Line 85: ==Security implications== {{main article\|CRIME\|BREACH}} HTTP compression allows a form of [[chosen plaintext]] attack to be performed: if an attacker can inject any chosen content into the page, they can know whether the page contains their given content by observing the size increase of the encrypted stream. If the increase is smaller than expected for random injections, it means that the compressor has found a repeat in the text, i.e. the injected content overlaps the secret information. In 2012, a general attack against the use of data compression, called [[CRIME]], was announced. While the CRIME attack could work effectively against a large number of protocols, including but not limited to TLS, and application-layer protocols such as SPDY or HTTP, only exploits against TLS and SPDY were demonstrated and largely mitigated in browsers and servers. The CRIME exploit against HTTP compression has not been mitigated at all, even though the authors of CRIME have warned that this vulnerability might be even more widespread than SPDY and TLS compression combined.

HTTP compression: Difference between revisions