[
https://issues.apache.org/jira/browse/TINKERPOP-2700?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Cole Greer closed TINKERPOP-2700.
---------------------------------
Fix Version/s: 3.6.8
3.7.3
Assignee: Cole Greer
Resolution: Fixed
> WebSocket compression may lead to attacks (CRIME / BREACH)
> ----------------------------------------------------------
>
> Key: TINKERPOP-2700
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2700
> Project: TinkerPop
> Issue Type: Improvement
> Components: driver, python
> Affects Versions: 3.5.2
> Reporter: Florian Hockmann
> Assignee: Cole Greer
> Priority: Blocker
> Fix For: 3.6.8, 3.7.3
>
>
> As noted in TINKERPOP-2682, WS compression can make an application vulnerable
> to attacks. That is why it should probably be disabled if an application
> sends sensitive data as well as data that could be controlled by a
> potentially untrusted user.
> So, we should make it possible for users to disable compression and inform
> about this problematic in our docs.
> We can optionally also disable compression ourselves for messages that
> contain an authentication response (that's how it's implemented right now for
> .NET in the PR for TINKERPOP-2682).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
