Hello, I'm aware that enabling GZIP on SSL site opens vulnerability. What about if I create another SSL+GZIP site for content delivery only, for example I would be storing CSS, Images on it. Would that be secure thing todo? https://cd.mysite.com/style.css - this site has SSL + GZIP https://mysite.com - only SSL Thanks asked 08 Mar '15, 20:29 Aidas Keburys |
It is insecure no matter what content you are using, the mild speed gain you would get is not worth a security exploit. answered 09 Mar '15, 00:01 johns how does other sites get away with it? For e.g. twitter, they seem to have their own SSL cdn, and their resources seem to be gzipped. Or there is any other way? Also how about paid CDNs? They do opffer gzipi either.
(09 Mar '15, 08:28)
Aidas Keburys
They take care to make sure that the headers from their application never include authentication tokens, and that they're serving just static media which would otherwise be available anyway without authentication credentials. In that particular case, there's no security vulnerability. In other words, we can't enable this in general for all sites because it requires users to implement their sites' cookies and headers carefully in such a way as to be immune to the possible vulnerability. That's not a viable blanket setting for our front-end webserver that serves applications as well as static media. For your site, you'd be better off using an external CDN that supports https for your static media, because your goal is speed improvement, and that gives the best of both worlds: compressed data served from from a local CDN server.
(09 Mar '15, 09:10)
ryans ♦♦
|
You can now selectively enable and disable gzip compression for HTTPS websites via our control panel at: answered 25 May '17, 16:14 seanf |