Contents
Does SSL use compression?
The authors of SSL knew that if you’re going to encrypt data, you need to compress it before you encrypt it, since well-encrypted data tends to look pretty random and non-compressible. But even though SSL supports compression, no browsers support it.
What is SSL compression?
SSL compression has access to the clear-text data of the connection, because the server-side appliance acts as a security delegate of the endpoint servers. All accelerated connections between the two appliances are sent over SSL data connections, whether the original connections were encrypted or not.
What are the different compression methods?
There are two main types of compression: lossy and lossless.
Does TLS compress data?
TLS defines one standard compression method which specifies that data exchanged via the record protocol will not be compressed. Compression within TLS is one way to help reduce the bandwidth and latency requirements associated with exchanging large amounts of data while preserving the security services provided by TLS.
Why is SSL so good?
The primary reason why SSL is used is to keep sensitive information sent across the Internet encrypted so that only the intended recipient can access it. This is important because the information you send on the Internet is passed from computer to computer to get to the destination server.
How much can data be compressed?
Data compression can reduce a text file to 50% or a significantly higher percentage of its original size. For data transmission, compression can be performed on the data content or on the entire transmission unit, including header data.
How is HTTP compression different from TLS compression?
Note that HTTP compression is a different mechanism from TLS compression; HTTP compression is negotiated at a higher level of the stack, and only applies to the body of the response. However, HTTP compression can be applied to data that is downloaded over a SSL/TLS connection, i.e., to resources downloaded via HTTPS.
When do I need to enable HTTP compression?
HTTP compression will be enabled only if both the browser and the server support it, but most browsers and many servers do, because it improves performance. Note that HTTP compression is a different mechanism from TLS compression; HTTP compression is negotiated at a higher level of the stack, and only applies to the body of the response.
Is there a crime attack on TLS compression?
Now the CRIME attack, at least as it has been publicly described so far, is an attack on TLS compression. Background: TLS includes a built-in compression mechanism, which happens at the TLS level (the entire connection is compressed).
Is it safe to compress and encrypt data?
In particular, it is dangerous to concatenate attacker-supplied data with sensitive secret data and then compress and encrypt the concatenation; any time we see that occurring, at any layer of the system stack, we should be suspicious of the potential for CRIME-like attacks.