lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <OF9E8E92C8.122827FC-ON88256E44.000AD658-88256E44.000B2B72@2roads.com>
Date: Mon, 23 Feb 2004 18:01:59 -0800
From: mgotts@...ads.com
To: Darwin Mecham <darwin@...sp.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: blocking gzip encoded files


Darwin Mecham <darwin@...sp.com> wrote on 02/23/2004 02:38:39 PM:

> It has recently come to my attention that most browsers happily
> do Accept-encoding: gzip and streaming decompression of
> HTML data received with Content-encoding: gzip
>  without asking.
> 
> This has been in use since sometime in 1998.
> 
> Is there a way to configure the run-of-the-mill browser to
> block these at the host level ?

I don't know of a browser setting to enable/disable it. But you can use 
something like Proxomitron to do it (http://www.proxomitron.info/). The 
gzip setting is one of the "Headers" settings and is called "
Accept-encoding: Allow webpage encoding (out)". Disable this to prevent 
gzip encoding from being used. I've done so in the past, and it does 
indeed work as advertised.

Proxomitron does *MUCH* more than this, if you are not yet familiar with 
it.

-- Mark



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ