

Who’s not getting gzip? - ypavan
http://www.stevesouders.com/blog/2009/11/11/whos-not-getting-gzip/

======
jimmybot
From the referenced Google Code Blog
[http://googlecode.blogspot.com/2009/11/use-compression-to-
ma...](http://googlecode.blogspot.com/2009/11/use-compression-to-make-web-
faster.html):

 _Anti-virus software may try to minimize CPU operations by intercepting and
altering requests so that web servers send back uncompressed content. But if
the CPU is not the bottleneck, the software is not doing users any favors.
Some popular antivirus programs interfere with compression. Users can check if
their anti-virus software is interfering with compression by visiting the
browser compression test page at Browserscope.org._

Serious? Anti-virus software that is doing that is acting almost like malware
doing what the user didn't ask it to do. Does compression have any even minor
security implications that would legitimize this? And anyone know which anti-
virus does this?

~~~
pbhjpbhj
_Does compression have any even minor security implications that would
legitimize this?_

The quote you gave said that anti-virus apps might do it to "minimize(sic) CPU
operations" rather than for security reasons.

~~~
sparky
(sic)? Not where the post was written it's not :P

~~~
pbhjpbhj
But it is not written thus where I wrote my comment, ergo I raise you a smiley

;0P>

------
robk
As an exercise, I heard that a toolbar company (who shall remain nameless) ran
an experiment to record a client-side hash of the DOM of some particular
static pages and found that something like 30%-40% of users had modified or
tampered results. Some of this could be spyware, some the antivirus add-ins,
but still shockingly high for static content I thought.

~~~
aristus
"DOM model" or innerHTML? Did they control for normal modifications that
browsers do, like inserting missing <tbody> tags, removing whitespace and the
like? Any more data on the nature or amount of modification?

~~~
robk
I believe he was looking pretty closely at the entire DOM rather than
specifically innerHTML but I didn't really dig down on that.

As for the browser mods, he controlled to look at the difference holding
browser version/OS steady, so the changes would be consistent inside the
browser,version,os pairing. It was a rather scientific approach imo.

------
lucumo
Those are scary numbers. Anybody know of rules to force it to on, without
breaking clients that really don't support it?

~~~
JoachimSchipper
I suppose they use User-Agent sniffing, which is obviously not very robust.
That said, something like the rule below should work (mod_gzip/Apache 1.x):

    
    
        mod_gzip_item_include         reqheader  "User-agent: .*MSIE 6.0.*"
    

Mind you, this has not been tested, interacts badly with proxies, and is based
on a pretty broken idea in the first place. On the other hand, almost every
modern browser supports gzip, so it's not clear how much it would hurt.

~~~
lucumo
Thanks. I suppose it needs a lot of testing.

