[ https://issues.apache.org/jira/browse/TINKERPOP-2682?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Florian Hockmann closed TINKERPOP-2682. --------------------------------------- Fix Version/s: 3.6.0 3.5.3 Resolution: Fixed > Enable WebSocket compression in .NET by default > ----------------------------------------------- > > Key: TINKERPOP-2682 > URL: https://issues.apache.org/jira/browse/TINKERPOP-2682 > Project: TinkerPop > Issue Type: Improvement > Components: dotnet > Affects Versions: 3.5.1 > Reporter: Florian Hockmann > Assignee: Florian Hockmann > Priority: Minor > Fix For: 3.6.0, 3.5.3 > > > .NET 6 added support for WebSocket compression to .NET: > [https://devblogs.microsoft.com/dotnet/announcing-net-6/#websocket-compression] > Users can already enable that by themselves as it has been added as a > property {{DangerousDeflate}} to the {{ClientWebSocketOptions}} which can be > configured via the {{webSocketConfiguration}} of the {{GremlinClient}} > constructor in Gremlin.Net. > Since we have enabled compression by default in Python and Java, it makes > sense to also enable it by default in .NET. We can of course only do that for > .NET 6 which is why we'll have to add that as an additional target framework > to Gremlin.Net. > The .NET 6 announcement mentions that WebSocket compression together with > encrypted content is susceptible to attacks like CRIME and BREACH that can > reveal the encrypted content if an attacker is able to control data that is > sent together with the encrypted content over the same WebSocket connection. > That is why the property to enable compression is called > {_}Dangerous{_}Deflate and why compression can also be disabled on a > per-message basis > ([source|https://github.com/dotnet/runtime/issues/31088#issuecomment-804359919]). > I suggest we can account for these possible attacks by disabling compression > for the authentication messages we send to the server which contain > credentials and by adding a note to the docs about this with a recommendation > to disable compression if an application needs to send sensitive data, but > also data controlled by (potentially untrusted) users to the server. > Since the attacker additionally needs to be able to monitor the network > traffic between the client and the server, I guess >99% of applications are > not affected by this and will therefore benefit from enabling compression by > default. -- This message was sent by Atlassian Jira (v8.20.1#820001)