Scribd
Upload
20 views6 pages

HTTP Compression

HTTP compression allows web servers and clients to compress data before transmission to improve transfer speeds. Supported compression schemes like gzip and Brotli are negotiated between client and server, with the server indicating the used scheme in the response. While improving performance, compression can enable attacks like CRIME and BREACH that leak encrypted data by analyzing changes in compressed response sizes. Issues preventing its use include antivirus interference and legacy clients failing to uncompressed HTTP 1.0 mode.

Uploaded by

sebastian431
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
Download as pdf or txt
20 views6 pages

HTTP Compression

HTTP compression allows web servers and clients to compress data before transmission to improve transfer speeds. Supported compression schemes like gzip and Brotli are negotiated between client and server, with the server indicating the used scheme in the response. While improving performance, compression can enable attacks like CRIME and BREACH that leak encrypted data by analyzing changes in compressed response sizes. Issues preventing its use include antivirus interference and legacy clients failing to uncompressed HTTP 1.0 mode.

Uploaded by

sebastian431
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
Download as pdf or txt
Download as pdf or txt
You are on page 1/ 6

HTTP compression

HTTP compression is a capability that can be built into web servers and web clients to improve transfer
speed and bandwidth utilization.[1]

HTTP data is compressed before it is sent from the server: compliant browsers will announce what methods
are supported to the server before downloading the correct format; browsers that do not support compliant
compression method will download uncompressed data. The most common compression schemes include
gzip and Brotli; a full list of available schemes is maintained by the IANA.[2]

There are two different ways compression can be done in HTTP. At a lower level, a Transfer-Encoding
header field may indicate the payload of an HTTP message is compressed. At a higher level, a Content-
Encoding header field may indicate that a resource being transferred, cached, or otherwise referenced is
compressed. Compression using Content-Encoding is more widely supported than Transfer-Encoding, and
some browsers do not advertise support for Transfer-Encoding compression to avoid triggering bugs in
servers.[3]

Compression scheme negotiation


The negotiation is done in two steps, described in RFC 2616 and RFC 9110:

1. The web client advertises which compression schemes it supports by including a list of tokens in the
HTTP request. For Content-Encoding, the list is in a field called Accept-Encoding; for Transfer-Encoding,
the field is called TE.

GET /encrypted-area HTTP/1.1


Host: www.example.com
Accept-Encoding: gzip, deflate

2. If the server supports one or more compression schemes, the outgoing data may be compressed by one or
more methods supported by both parties. If this is the case, the server will add a Content-Encoding or
Transfer-Encoding field in the HTTP response with the used schemes, separated by commas.

HTTP/1.1 200 OK
Date: mon, 26 June 2016 22:38:34 GMT
Server: Apache/1.3.3.7 (Unix) (Red-Hat/Linux)
Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT
Accept-Ranges: bytes
Content-Length: 438
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip

The web server is by no means obligated to use any compression method  – this depends on the internal
settings of the web server and also may depend on the internal architecture of the website in question.

Content-Encoding tokens
The official list of tokens available to servers and client is maintained by IANA,[4] and it includes:
br – Brotli, a compression algorithm specifically designed for HTTP content encoding,
defined in RFC 7932 (https://datatracker.ietf.org/doc/html/rfc7932) and implemented in all
modern major browsers.
compress – UNIX "compress" program method (historic; deprecated in most applications
and replaced by gzip or deflate)
deflate – compression based on the deflate algorithm (described in RFC 1951 (https://datatr
acker.ietf.org/doc/html/rfc1951)), a combination of the LZ77 algorithm and Huffman coding,
wrapped inside the zlib data format (RFC 1950 (https://datatracker.ietf.org/doc/html/rfc1950));
exi – W3C Efficient XML Interchange
gzip – GNU zip format (described in RFC 1952 (https://datatracker.ietf.org/doc/html/rfc1952)).
Uses the deflate algorithm for compression, but the data format and the checksum algorithm
differ from the "deflate" content-encoding. This method is the most broadly supported as of
March 2011.[5]
identity – No transformation is used. This is the default value for content coding.
pack200-gzip – Network Transfer Format for Java Archives[6]
zstd – Zstandard compression, defined in RFC 8478 (https://datatracker.ietf.org/doc/html/rfc8
478)

In addition to these, a number of unofficial or non-standardized tokens are used in the wild by either servers
or clients:

bzip2 – compression based on the free bzip2 format, supported by lighttpd[7]


lzma – compression based on (raw) LZMA is available in Opera 20, and in elinks via a
compile-time option[8]
peerdist[9] – Microsoft Peer Content Caching and Retrieval
rsync[10] - delta encoding in HTTP, implemented by a pair of rproxy proxies.
xpress - Microsoft compression protocol used by Windows 8 and later for Windows Store
application updates. LZ77-based compression optionally using a Huffman encoding.[11]
xz - LZMA2-based content compression, supported by a non-official Firefox patch;[12] and
fully implemented in mget since 2013-12-31.[13]

Servers that support HTTP compression


SAP NetWeaver
Microsoft IIS: built-in or using third-party module
Apache HTTP Server, via mod_deflate (https://httpd.apache.org/docs/current/mod/mod
_deflate.html) (despite its name, only supporting gzip[14]), and mod_brotli (https://httpd.ap
ache.org/docs/current/mod/mod_brotli.html)
Hiawatha HTTP server: serves pre-compressed files[15]
Cherokee HTTP server, On the fly gzip and deflate compressions
Oracle iPlanet Web Server
Zeus Web Server
lighttpd
nginx – built-in
Applications based on Tornado, if "compress_response" is set to True in the application
settings (for versions prior to 4.0, set "gzip" to True)
Jetty Server – built-into default static content serving and available via servlet filter
configurations
GeoServer
Apache Tomcat
IBM Websphere
AOLserver
Ruby Rack, via the Rack::Deflater middleware
HAProxy
Varnish – built-in. Works also with ESI
Armeria (https://line.github.io/armeria/) – Serving pre-compressed files[16]
NaviServer - built-in, dynamic and static compression

Many content delivery networks also implement HTTP compression to improve speedy delivery of
resources to end users.

The compression in HTTP can also be achieved by using the functionality of server-side scripting
languages like PHP, or programming languages like Java.

Various online tools exist to verify a working implementation of HTTP compression. These online tools
usually request multiple variants of a URL, each with different request headers (with varying Accept-
Encoding content). HTTP compression is considered to be implemented correctly when the server returns a
document in a compressed format.[17] By comparing the sizes of the returned documents, the effective
compression ratio can be calculated (even between different compression algorithms).

Problems preventing the use of HTTP compression


A 2009 article by Google engineers Arvind Jain and Jason Glasgow states that more than 99 person-years
are wasted[18] daily due to increase in page load time when users do not receive compressed content. This
occurs when anti-virus software interferes with connections to force them to be uncompressed, where
proxies are used (with overcautious web browsers), where servers are misconfigured, and where browser
bugs stop compression being used. Internet Explorer 6, which drops to HTTP 1.0 (without features like
compression or pipelining) when behind a proxy – a common configuration in corporate environments –
was the mainstream browser most prone to failing back to uncompressed HTTP.[18]

Another problem found while deploying HTTP compression on large scale is due to the deflate encoding
definition: while HTTP 1.1 defines the deflate encoding as data compressed with deflate (RFC 1951)
inside a zlib formatted stream (RFC 1950), Microsoft server and client products historically implemented it
as a "raw" deflated stream,[19] making its deployment unreliable.[20][21] For this reason, some software,
including the Apache HTTP Server, only implement gzip encoding.

Security implications
Compression allows a form of chosen plaintext attack to be performed: if an attacker can inject any chosen
content into the page, they can know whether the page contains their given content by observing the size
increase of the encrypted stream. If the increase is smaller than expected for random injections, it means that
the compressor has found a repeat in the text, i.e. the injected content overlaps the secret information. This
is the idea behind CRIME.

In 2012, a general attack against the use of data compression, called CRIME, was announced. While the
CRIME attack could work effectively against a large number of protocols, including but not limited to
TLS, and application-layer protocols such as SPDY or HTTP, only exploits against TLS and SPDY were
demonstrated and largely mitigated in browsers and servers. The CRIME exploit against HTTP
compression has not been mitigated at all, even though the authors of CRIME have warned that this
vulnerability might be even more widespread than SPDY and TLS compression combined.

In 2013, a new instance of the CRIME attack against HTTP compression, dubbed BREACH, was
published. A BREACH attack can extract login tokens, email addresses or other sensitive information from
TLS encrypted web traffic in as little as 30 seconds (depending on the number of bytes to be extracted),
provided the attacker tricks the victim into visiting a malicious web link.[22] All versions of TLS and SSL
are at risk from BREACH regardless of the encryption algorithm or cipher used.[23] Unlike previous
instances of CRIME, which can be successfully defended against by turning off TLS compression or
SPDY header compression, BREACH exploits HTTP compression which cannot realistically be turned
off, as virtually all web servers rely upon it to improve data transmission speeds for users.[22]

As of 2016, the TIME attack and the HEIST attack are now public knowledge.[24][25][26][27]

References
1. "Using HTTP Compression (IIS 6.0)" (http://www.microsoft.com/technet/prodtechnol/Window
sServer2003/Library/IIS/d52ff289-94d3-4085-bc4e-24eb4f312e0e.mspx?mfr=true). Microsoft
Corporation. Retrieved 9 February 2010.
2. RFC 2616, Section 3.5: "The Internet Assigned Numbers Authority (IANA) acts as a registry
for content-coding value tokens."
3. 'RFC2616 "Transfer-Encoding: gzip, chunked" not handled properly' (https://code.google.co
m/p/chromium/issues/detail?id=94730), Chromium Issue 94730
4. "Hypertext Transfer Protocol Parameters - HTTP Content Coding Registry" (https://www.ian
a.org/assignments/http-parameters/http-parameters.xhtml#content-coding). IANA. Retrieved
18 April 2014.
5. "Compression Tests: Results" (https://web.archive.org/web/20120321182910/http://www.ver
vestudios.co/projects/compression-tests/results). Verve Studios, Co. Archived from the
original (http://www.vervestudios.co/projects/compression-tests/results) on 21 March 2012.
Retrieved 19 July 2012.
6. "JSR 200: Network Transfer Format for Java Archives" (https://jcp.org/en/jsr/detail?id=200).
The Java Community Process Program.
7. "ModCompress - Lighttpd" (http://redmine.lighttpd.net/projects/1/wiki/Docs_ModCompress).
lighty labs. Retrieved 18 April 2014.
8. elinks LZMA decompression (http://elinks.or.cz/documentation/html/manual.html-chunked/ch
01s07.html#CONFIG-LZMA)
9. "[MS-PCCRTP]: Peer Content Caching and Retrieval: Hypertext Transfer Protocol (HTTP)
Extensions" (http://msdn.microsoft.com/en-us/library/dd304322%28v=PROT.10%29.aspx).
Microsoft. Retrieved 19 April 2014.
10. "rproxy: Protocol Definition for HTTP rsync Encoding" (https://rproxy.samba.org/doc/protocol/
protocol.html). rproxy.samba.org.
11. "[MS-XCA]: Xpress Compression Algorithm" (https://msdn.microsoft.com/en-us/library/Hh554
002.aspx). Retrieved 29 August 2015.
12. "LZMA2 Compression - MozillaWiki" (https://wiki.mozilla.org/LZMA2_Compression).
Retrieved 18 April 2014.
13. "mget GitHub project page" (https://github.com/rockdaboot/mget). GitHub. Retrieved
6 January 2017.
14. "mod_deflate - Apache HTTP Server Version 2.4 - Supported Encodings" (http://httpd.apach
e.org/docs/2.4/mod/mod_deflate.html#supportedencodings).
15. "Extra part of Hiawatha webserver's manual" (http://www.hiawatha-webserver.org/manpage
s).
16. "Serving static files part of Armeria's documentation" (https://line.github.io/armeria/server-http
-file.html#serving-pre-compressed-files).
17. "How does the gzip compression check work?" (https://httptools.dev/gzip-brotli-check).
httptools.dev, retrieved 10 April 2022.
18. "Use compression to make the web faster" (https://developers.google.com/speed/articles/us
e-compression). Google Inc. Retrieved 22 May 2013.
19. "deflate - Why are major web sites using gzip?" (https://stackoverflow.com/questions/917033
8/why-are-major-web-sites-using-gzip/9186091#9186091). Stack Overflow. Retrieved
18 April 2014.
20. "Compression Tests: About" (https://web.archive.org/web/20150102111552/http://www.verve
studios.co/projects/compression-tests/). Verve Studios. Archived from the original (http://ww
w.vervestudios.co/projects/compression-tests/) on 2 January 2015. Retrieved 18 April 2014.
21. "Lose the wait: HTTP Compression" (http://zoompf.com/blog/2012/02/lose-the-wait-http-com
pression). Zoompf Web Performance. Retrieved 18 April 2014.
22. Goodin, Dan (1 August 2013). "Gone in 30 seconds: New attack plucks secrets from
HTTPS-protected pages" (https://arstechnica.com/security/2013/08/gone-in-30-seconds-ne
w-attack-plucks-secrets-from-https-protected-pages/). Ars Technica. Condé Nast. Retrieved
2 August 2013.
23. Leyden, John (2 August 2013). "Step into the BREACH: New attack developed to read
encrypted web data" (https://www.theregister.co.uk/2013/08/02/breach_crypto_attack/). The
Register. Retrieved 2 August 2013.
24. Sullivan, Nick (11 August 2016). "CRIME, TIME, BREACH and HEIST: A brief history of
compression oracle attacks on HTTPS" (https://www.helpnetsecurity.com/2016/08/11/compr
ession-oracle-attacks-https/). Retrieved 16 August 2016.
25. Goodin, Dan (3 August 2016). "HEIST exploit — New attack steals SSNs, e-mail addresses,
and more from HTTPS pages" (https://arstechnica.com/security/2016/08/new-attack-steals-s
sns-e-mail-addresses-and-more-from-https-pages/). Retrieved 16 August 2016.
26. Be'ery, Tal. "A Perfect Crime? TIME will tell" (https://www.owasp.org/images/e/eb/A_Perfect_
CRIME_TIME_Will_Tell_-_Tal_Beery.pdf) (PDF).
27. Vanhoef, Mathy. "HEIST: HTTP Encrypted Information can be Stolen through TCP-windows"
(https://www.blackhat.com/docs/us-16/materials/us-16-VanGoethem-HEIST-HTTP-Encrypte
d-Information-Can-Be-Stolen-Through-TCP-Windows-wp.pdf) (PDF).

External links
RFC 2616 (https://datatracker.ietf.org/doc/html/rfc2616): Hypertext Transfer Protocol –
HTTP/1.1
RFC 9110 (https://datatracker.ietf.org/doc/html/rfc9110): HTTP Semantics
HTTP Content-Coding Values (https://www.iana.org/assignments/http-parameters) by
Internet Assigned Numbers Authority
Compression with lighttpd (http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:Modcompre
ss)
Coding Horror: HTTP Compression on IIS 6.0 (http://www.codinghorror.com/blog/2004/08/htt
p-compression-and-iis-6-0.html) Archived (https://web.archive.org/web/20140206020708/htt
p://www.codinghorror.com/blog/2004/08/http-compression-and-iis-6-0.html) 2014-02-06 at
the Wayback Machine
15 Seconds: Web Site Compression (https://web.archive.org/web/20110716033901/http://w
ww.15seconds.com/Issue/020314.htm) at the Wayback Machine (archived July 16, 2011)
Using HTTP Compression (http://www.serverwatch.com/tutorials/article.php/3514866)
Archived (https://web.archive.org/web/20160314155152/http://www.serverwatch.com/tutorial
s/article.php/3514866) 2016-03-14 at the Wayback Machine by Martin Brown of Server
Watch
Using HTTP Compression in PHP (https://web.archive.org/web/20060411174003/http://ww
w.devshed.com/c/a/PHP/Using-HTTP-Compression-in-PHP-Make-Your-Web-Pages-Load-F
aster/)
Dynamic and static HTTP compression with Apache httpd (https://web.archive.org/web/2012
0430023716/https://banu.com/blog/38/dynamic-and-static-http-compression-with-apache-htt
pd/)

Retrieved from "https://en.wikipedia.org/w/index.php?title=HTTP_compression&oldid=1164547271"

You might also like