如何将gzip与SSL或其他替代方式结合使用? [英] How can I use gzip with SSL, or any alternatives?
问题描述
Google now treats HTTP as insecure (check here), and in Chrome, we see warning messages if we access HTTP site. And now we have free SSL, letsencrypt. So I assume, we would surely use HTTPS for nearly every server.
然后我发现,将gzip与SSL结合使用会遇到一些安全问题,称为Breach Attack.那么,我真的很奇怪,在使用SSL的情况下如何实现gzip的目的?
Then I found, using gzip with SSL has some security issue, called Breach Attack. I really wonder, then, how can we achieve the purpose of gzip, while using SSL?
特别是在Angular上,它具有很大的尺寸;现在,我有与@angular相关的主文件,与CSS/SCSS/与Webpack捆绑在一起的样式相关的样式文件,与外部javascript文件相关的脚本文件.在我的应用案例中,如下所示(Angular 2.3.1,AoT,生产版本);
Especially on Angular, when built, it has quite large sizes; for now, I have main files that related to @angular, styles files that related to CSS/SCSS/whatever bundled with Webpack, scripts files that related to external javascript files. For my application case, it is like below (Angular 2.3.1, AoT, production build);
- main.js:739K
- main.js.gz:151K
- styles.js:394K
- styles.js.gz:100K
- scripts.js:180万
- scripts.js.gz:415K
对于主文件和样式文件,没有gzip似乎还可以.但是对于脚本文件而言,没有gzip的情况确实很大.1.8兆字节...对于移动设备而言绝对是沉重的负担.
For main and styles file, it seems okay without gzip. But for scripts file case, it is really big without gzip. 1.8 Megabytes... it would definitely heavy for mobile.
但是我的应用程序使用WebRTC,这需要HTTPS.所以这对我来说有点困难.有什么好的解决方法吗?
But my application uses WebRTC, which requires HTTPS. So it's kind of stuck for me. Is there any good solution?
推荐答案
对于内容而言,BREACH攻击只是一个问题,其中包含攻击者喜欢猜测的秘密(如CSRF令牌),而且攻击者控制的数据也反映在内容中.静态Javascript文件和其他静态文件不具有此属性,因此可以安全地对其进行压缩.另请参见是否允许通过TLS进行gzip压缩内容?或BREACH的当前状态(GZIP SSL攻击)?
BREACH attack is only a problem for content which contains secrets the attacker likes to guess (like CSRF tokens) and where also attacker controlled data are reflected in the content. Static Javascript files and other static files don't have this property so they can safely be compressed. See also Is gzipping content via TLS allowed? or Current State of BREACH (GZIP SSL Attack)?
这篇关于如何将gzip与SSL或其他替代方式结合使用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
