lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 24 Feb 2004 13:00:47 -0500
From: "Josep L. Guallar-Esteve" <guallar@...ternrad.com>
To: bugtraq@...urityfocus.com
Subject: Re: blocking gzip encoded files


On Monday 23 February 2004 05:38 pm, Darwin Mecham wrote:
> It has recently come to my attention that most browsers happily
> do Accept-encoding: gzip and streaming decompression of
> HTML data received with Content-encoding: gzip
>  without asking.

This is because most browsers support HTTP-1.1 standard.

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11
http://www.w3.org/Talks/9608HTTP/
http://www.seoconsultants.com/articles/1000/http-compression.asp

> This has been in use since sometime in 1998.

IIRC, HTTP 1.1 was endorsed by W3C ~ 1999

> Is there a way to configure the run-of-the-mill browser to
> block these at the host level ?

You can disable HTTP 1.1 compliance if you wish.

> Darwin


Regards,
Josep
-- 
Josep L. Guallar-Esteve		Eastern Radiologists, Inc.
Systems and Network Administration  http://www.easternrad.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ