You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would like to receive your input in this regard and your concerns about dropping support for the deprecated Deflate compression.
Here is some information that I came across about this matter.
2023 usage
According to W3Techs, as of April 2023, around 10.8% of websites are using deflate compression.
According to a survey conducted by BuiltWith in March 2023, 9.8% of the top 10,000 websites are using deflate compression.
According to the HTTP Archive, as of March 2023, the percentage of websites using deflate compression was around 10.3%.
According to data from the Chrome User Experience Report (CrUX) as of April 2023, the usage of deflate compression has decreased from around 0.3% in January 2021 to around 0.1% in April 2023.
Overall, these statistics suggest that while deflate compression is still in use, it is not as widely used as other compression methods such as gzip. The usage of different compression methods can also vary depending on various factors such as server configurations, browser support, and performance considerations.
Security
Deflate compression was officially deprecated by the HTTP/2 standard in 2015 due to known security vulnerabilities. While deflate can still be used with HTTP/1.1, it is generally recommended to use more secure compression methods such as gzip or brotli.
The security risk associated with deflate compression lies in its vulnerability to a type of attack known as a "compression oracle" attack. In this type of attack, an attacker can use the predictable nature of the deflate compression algorithm to obtain information about the plaintext of compressed data. This can lead to the disclosure of sensitive information such as user credentials or other sensitive data.
As such, it is generally recommended to use more secure compression methods such as gzip or brotli, which are not vulnerable to these types of attacks. It's important to note that the security risks associated with deflate are well-known, and its usage is generally discouraged in modern web development practices.
The OWASP Foundation, a non-profit organization that focuses on improving software security, lists the use of deflate compression as a security risk in its Top Ten Web Application Security Risks list. You can find more information on this in the "A6: Security Misconfiguration" section: https://owasp.org/Top10/
The Mozilla Foundation, the organization behind the Firefox browser, recommends using gzip or brotli compression over deflate due to its security vulnerabilities. You can find more information on this in the Mozilla Developer Network documentation: https://developer.mozilla.org/en-US/docs/Web/HTTP/Compression
These resources suggest that while deflate compression can still be used with HTTP/1.1, its usage is discouraged in modern web development practices due to its known security vulnerabilities.
--
I will update you more on the topic and of course, feel free to share your thoughts about it.
Should we remove Deflate compression from SWS in a next major?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Static Web Server (SWS)
-
I would like to receive your input in this regard and your concerns about dropping support for the deprecated
Deflatecompression.Here is some information that I came across about this matter.
2023 usage
Overall, these statistics suggest that while deflate compression is still in use, it is not as widely used as other compression methods such as gzip. The usage of different compression methods can also vary depending on various factors such as server configurations, browser support, and performance considerations.
Security
Deflate compression was officially deprecated by the HTTP/2 standard in 2015 due to known security vulnerabilities. While deflate can still be used with HTTP/1.1, it is generally recommended to use more secure compression methods such as gzip or brotli.
The security risk associated with deflate compression lies in its vulnerability to a type of attack known as a "compression oracle" attack. In this type of attack, an attacker can use the predictable nature of the deflate compression algorithm to obtain information about the plaintext of compressed data. This can lead to the disclosure of sensitive information such as user credentials or other sensitive data.
As such, it is generally recommended to use more secure compression methods such as gzip or brotli, which are not vulnerable to these types of attacks. It's important to note that the security risks associated with deflate are well-known, and its usage is generally discouraged in modern web development practices.
Resources:
These resources suggest that while deflate compression can still be used with HTTP/1.1, its usage is discouraged in modern web development practices due to its known security vulnerabilities.
--
I will update you more on the topic and of course, feel free to share your thoughts about it.
0 votes ·
Beta Was this translation helpful? Give feedback.
All reactions