WebFaction
Community site: login faq
0
1

Hello,

I'm aware that enabling GZIP on SSL site opens vulnerability.

What about if I create another SSL+GZIP site for content delivery only, for example I would be storing CSS, Images on it. Would that be secure thing todo?

https://cd.mysite.com/style.css - this site has SSL + GZIP https://mysite.com - only SSL

Thanks

asked 08 Mar '15, 20:29

Aidas Keburys
115
accept rate: 0%


It is insecure no matter what content you are using, the mild speed gain you would get is not worth a security exploit.

permanent link

answered 09 Mar '15, 00:01

johns
5.4k312
accept rate: 23%

how does other sites get away with it? For e.g. twitter, they seem to have their own SSL cdn, and their resources seem to be gzipped.

Or there is any other way?

Also how about paid CDNs? They do opffer gzipi either.

(09 Mar '15, 08:28) Aidas Keburys

They take care to make sure that the headers from their application never include authentication tokens, and that they're serving just static media which would otherwise be available anyway without authentication credentials. In that particular case, there's no security vulnerability.

In other words, we can't enable this in general for all sites because it requires users to implement their sites' cookies and headers carefully in such a way as to be immune to the possible vulnerability. That's not a viable blanket setting for our front-end webserver that serves applications as well as static media.

For your site, you'd be better off using an external CDN that supports https for your static media, because your goal is speed improvement, and that gives the best of both worlds: compressed data served from from a local CDN server.

(09 Mar '15, 09:10) ryans ♦♦

You can now selectively enable and disable gzip compression for HTTPS websites via our control panel at:

https://my.webfaction.com/websites

permanent link

answered 25 May '17, 16:14

seanf
12.2k41836
accept rate: 37%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×93
×14

question asked: 08 Mar '15, 20:29

question was seen: 4,273 times

last updated: 25 May '17, 16:14

WEBFACTION
REACH US
SUPPORT
AFFILIATE PROGRAM
LEGAL
© COPYRIGHT 2003-2019 SWARMA LIMITED - WEBFACTION IS A SERVICE OF SWARMA LIMITED
REGISTERED IN ENGLAND AND WALES 5729350 - VAT REGISTRATION NUMBER 877397162
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM