| ▲ | raron 4 days ago | |
> I'd love to see examples of where this is actually the case and it's drastically different from just sending HTML on the wire. There are complete CAD applications running in browsers for PCB and mechanical design with many layers, 3D view, thousands of components, etc. For example: https://easyeda.com/ https://www.onshape.com > because HTML compresses incredibly well Haven't compression under TLS have been mostly disabled after CRIME and BREACH attack? | ||
| ▲ | niutech 4 days ago | parent | next [-] | |
No, HTTP compression is widely used (brotli increasingly). | ||
| ▲ | chuckadams 4 days ago | parent | prev | next [-] | |
BREACH would be the relevant attack for content-encoding compression, it's only good for guessing the content of the response that can't actually be read otherwise, i.e. stealing a csrf token in cross-site requests, requires that the server echo back a chosen plaintext in the response (e.g. a provided query string), and takes thousands of requests to pull it off. It's a vanishingly small number of things that are actually vulnerable to this attack, and I've never even heard of a successful real-world exploit (tho it's not like the attackers that might use this go and tell everyone). | ||
| ▲ | 4 days ago | parent | prev [-] | |
| [deleted] | ||