问题描述
据我了解,如果我使用SSL / HTTPS,gzipping会打开一个安全漏洞(BREACH / CRIME)。
As I understand it, gzipping opens up a security vulnerability (BREACH/CRIME) if I use it with SSL/HTTPS.
如果我只使用它,该怎么办?我的CSS和JS文件,如果这些文件通过HTTPS从我的服务器上提供,它仍然是一个安全漏洞吗?
What if I only use it on my CSS and JS files, is it still a security vulnerability if those files are served off my server over HTTPS?
推荐答案
从什么我明白,答案是否定的 - 这不是安全漏洞。 CRIME / BEAST攻击注入选择的明文以揭示原始明文;在你的情况下,这将是CSS和JavaScript,它没有任何安全价值。 (据推测,您通过HTTPS为它们提供服务以避免浏览器上出现混合内容警告。)
From what I understand, the answer is no - it's not a security vulnerability. CRIME/BEAST attack injects chosen plaintext to uncover original plaintext; in your case this would CSS and JavaScript, which carry no security value. (Presumably, you serve them over HTTPS to avoid mixed content warnings on the browser).
攻击无法发现每个会话的对称密钥,因此它不会影响您的敏感度假设它不使用gzip / deflate的内容。
当然,如果您希望100%确定,除了本文之外,您还可以考虑除gzip之外的分块编码:
The attack cannot uncover your per-session symmetric key, so it cannot affect your sensitive content assuming it does not use gzip/deflate.Of course, if you wish to be 100% sure, you can also consider chunked encoding in addition to gzip, as per this article: https://community.qualys.com/blogs/securitylabs/2013/08/07/defending-against-the-breach-attack
这篇关于HTTPS + gzip:如果我只是gzip非敏感文件,它是一个安全漏洞吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!