Uploaded image for project: 'TinkerPop'
  1. TinkerPop
  2. TINKERPOP-2700

WebSocket compression may lead to attacks (CRIME / BREACH)

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • 3.5.2
    • 3.6.8, 3.7.3
    • driver, python
    • None

    Description

      As noted in TINKERPOP-2682, WS compression can make an application vulnerable to attacks. That is why it should probably be disabled if an application sends sensitive data as well as data that could be controlled by a potentially untrusted user.

      So, we should make it possible for users to disable compression and inform about this problematic in our docs.

      We can optionally also disable compression ourselves for messages that contain an authentication response (that's how it's implemented right now for .NET in the PR for TINKERPOP-2682).

      Attachments

        Activity

          People

            colegreer Cole Greer
            Florian Hockmann Florian Hockmann
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: