aboutsummaryrefslogtreecommitdiff
path: root/content/posts
diff options
context:
space:
mode:
authorPaul Duncan <pabs@pablotron.org>2022-01-29 08:53:11 -0500
committerPaul Duncan <pabs@pablotron.org>2022-01-29 08:53:11 -0500
commitecd771e5ec64fb43f6275c357bcdf4ff91208a06 (patch)
treeae7d9f0328184da4aba6ab1e4167abd2a58c6b87 /content/posts
parent8eba9d38f2432dbfcfa3b0b019bc926a80251c70 (diff)
downloadpablotron.org-ecd771e5ec64fb43f6275c357bcdf4ff91208a06.tar.bz2
pablotron.org-ecd771e5ec64fb43f6275c357bcdf4ff91208a06.zip
posts/media-shrinkage: add note about BREACH
Diffstat (limited to 'content/posts')
-rw-r--r--content/posts/2022-01-28-media-shrinkage.md24
1 files changed, 22 insertions, 2 deletions
diff --git a/content/posts/2022-01-28-media-shrinkage.md b/content/posts/2022-01-28-media-shrinkage.md
index b89f064..dbe87a2 100644
--- a/content/posts/2022-01-28-media-shrinkage.md
+++ b/content/posts/2022-01-28-media-shrinkage.md
@@ -36,7 +36,13 @@ Recently I made the following site improvements:
element wrapped in a [`<figure>`][figure].
5. Updated bitmap images in recent content to default to [WebP][] with a
fallback to [PNG][] ([progressive enhancement][]).
-6. Configured [`mod_deflate`][mod_deflate] to compress [SVGs][svg].
+6. Configured [`mod_deflate`][mod_deflate] to compress [SVGs][svg] (see
+ note about [BREACH][] below).
+
+**Note:** Using [HTTP compression][] ([`mod_deflate`][mod_deflate],
+[`mod_brotli`][mod_brotli], etc) with [dynamic web pages][] can expose
+you to a [BREACH][] attack. This site is [statically generated][] (via
+[Hugo][]) so [BREACH][] is not an issue.
### Results
@@ -55,6 +61,8 @@ in [Chrome][]:
`AddOutputFilterByType image/svg+xml`
* [Debian][]: Add `image/webp webp` to `/etc/mime.types`.
+**Update (2022-01-29):** Added warning about [BREACH][].
+
[svg]: https://en.wikipedia.org/wiki/Scalable_Vector_Graphics
"Scalable Vector Graphics"
[minify]: https://github.com/tdewolff/minify/tree/master/cmd/minify
@@ -74,7 +82,7 @@ in [Chrome][]:
[figure]: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/figure
"figure HTML element"
[mod_deflate]: https://httpd.apache.org/docs/current/mod/mod_deflate.html
- "Apache DEFLATE output filter."
+ "Apache DEFLATE compression output filter."
[chrome]: https://www.google.com/chrome
"Google Chrome web browser."
[avif]: https://en.wikipedia.org/wiki/AVIF
@@ -85,3 +93,15 @@ in [Chrome][]:
"Command-line image conversion tools."
[apache]: https://httpd.apache.org/
"Apache web server."
+[breach]: https://en.wikipedia.org/wiki/BREACH
+ "HTTP compression security vulnerability that leaks information over TLS connections."
+[http compression]: https://en.wikipedia.org/wiki/HTTP_compression
+ "HTTP compression"
+[statically generated]: https://en.wikipedia.org/wiki/Static_web_page
+ "Statically generated web page"
+[hugo]: https://gohugo.io/
+ "Hugo static site generator"
+[mod_brotli]: https://httpd.apache.org/docs/trunk/mod/mod_brotli.html
+ "Apache brotli compression output filter."
+[dynamic web pages]: https://en.wikipedia.org/wiki/Dynamic_web_page
+ "Dynamically generated web page"