On Wed, Mar 28, 2018 at 7:16 PM, Andres Freund <and...@anarazel.de> wrote: > +analysis of whether that's safe to do from a cryptographic POV. There's a > reason compression has been disabled for just about all SSL/TLS libraries.
As I understand it on a brief review of the Google search results^W^W^Wliterature, the reason that was done was to prevent things like the CRIME attack, which apparently involves Javascript running in your browser from deducing information that it shouldn't be able to get, like the Cookies that are sent along with the requests it initiates. No similar attack should be possible against PostgreSQL because there's no similar kind of privilege separation. Your PG driver doesn't have untrusted Javascript running inside of it, we hope. In general, I'd expect compressing data to be beneficial for the security of encryption because it should increase the entropy of the encrypted bytes, but obviously it's not hard to hypothesize cases where the opposite is true for one reason or another. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company