[Bug 64431] Enable response compression by default
https://bz.apache.org/bugzilla/show_bug.cgi?id=64431 Mark Thomas changed: What|Removed |Added Resolution|--- |WONTFIX Status|NEW |RESOLVED --- Comment #7 from Mark Thomas --- There wasn't much community feedback, but the feedback that there was was that it would be best to leave the compression setting as is. Reasons mentioned included: - interaction with some clients (still!) - behaviour behind a reverse proxies generally - interaction with CDNs specifically I am therefore resolving this as WONTFIX. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64431] Enable response compression by default
https://bz.apache.org/bugzilla/show_bug.cgi?id=64431 --- Comment #6 from Mark Thomas --- I have no strong view either way (although I am open to being persuaded one way or the other). I've asked the user community for their views. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64431] Enable response compression by default
https://bz.apache.org/bugzilla/show_bug.cgi?id=64431 --- Comment #5 from Craig --- I don't think BEAST is still relevant, see https://blog.qualys.com/ssllabs/2013/09/10/is-beast-still-a-threat for a details explanation. So I still suggest that Tomcat change the default to enable HTTP response compression. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64431] Enable response compression by default
https://bz.apache.org/bugzilla/show_bug.cgi?id=64431 --- Comment #4 from Craig --- > > CRIME, BREACH. > CRIME is a vulnerability that applies to TLS compression - I'm not suggesting here that TLS compression be used (it was actually removed in TLS 1.3). So I don't believe CRIME is relevant. BREACH is relevant... There are mitigations (such as SameSite cookies), but there's no guarantee that applications running Tomcat have implemented them. So I see your point :) Roes Tomcat have any mitigations for BREACH in place today? It seems Tomcat doesn't do any kind of random response padding (such as with empty response chunks or randomly sized response chunking). -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64431] Enable response compression by default
https://bz.apache.org/bugzilla/show_bug.cgi?id=64431 --- Comment #3 from Christopher Schultz --- (In reply to Craig from comment #2) > (In reply to Remy Maucherat from comment #1) > > I'd likely vote no to this proposal. > > For posterity, why not? CRIME, BREACH. I'm in favor of HTTP compression for static files (e.g. CSS, javascript, maybe SVG), but not for dynamically-generated content. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64431] Enable response compression by default
https://bz.apache.org/bugzilla/show_bug.cgi?id=64431 --- Comment #2 from Craig --- (In reply to Remy Maucherat from comment #1) > I'd likely vote no to this proposal. For posterity, why not? >It is not a bug, anyway. I filed it as an "enhancement" not a bug - was that not the right thing? If not, I apologize! -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64431] Enable response compression by default
https://bz.apache.org/bugzilla/show_bug.cgi?id=64431 Remy Maucherat changed: What|Removed |Added Severity|normal |enhancement --- Comment #1 from Remy Maucherat --- I'd likely vote no to this proposal. It is not a bug, anyway. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64431] Enable response compression by default
https://bz.apache.org/bugzilla/show_bug.cgi?id=64431 Craig changed: What|Removed |Added CC||candr...@integralblue.com -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
