[jira] [Commented] (TINKERPOP-2700) WebSocket compression may lead to attacks (CRIME / BREACH)

Cole Greer (Jira) Wed, 16 Oct 2024 16:41:05 -0700


    [ 
https://issues.apache.org/jira/browse/TINKERPOP-2700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17890269#comment-17890269
 ]


Cole Greer commented on TINKERPOP-2700:
---------------------------------------

Resolved with a pair of PR's:

3.6: https://github.com/apache/tinkerpop/pull/2832
3.7: https://github.com/apache/tinkerpop/pull/2833

> WebSocket compression may lead to attacks (CRIME / BREACH)
> ----------------------------------------------------------
>
>                 Key: TINKERPOP-2700
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2700
>             Project: TinkerPop
>          Issue Type: Improvement
>          Components: driver, python
>    Affects Versions: 3.5.2
>            Reporter: Florian Hockmann
>            Priority: Blocker
>
> As noted in TINKERPOP-2682, WS compression can make an application vulnerable 
> to attacks. That is why it should probably be disabled if an application 
> sends sensitive data as well as data that could be controlled by a 
> potentially untrusted user.
> So, we should make it possible for users to disable compression and inform 
> about this problematic in our docs.
> We can optionally also disable compression ourselves for messages that 
> contain an authentication response (that's how it's implemented right now for 
> .NET in the PR for TINKERPOP-2682).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (TINKERPOP-2700) WebSocket compression may lead to attacks (CRIME / BREACH)

Reply via email to