: Can a random compression level applied on same html output replace HTTPS to an extent? HTTPS is supposedly a secure protocol for data exchange. I'm wondering upon a page request, if I outputted
HTTPS is supposedly a secure protocol for data exchange.
I'm wondering upon a page request, if I outputted data to the client at a different gzip compression level (over the HTTP protocol) each time, would that still be as secure as HTTPS since the raw compressed data (which to humans is garbage) actually being fed to the client is different each time, yet the browser will decompress it perfectly.
Here's an example of what I mean in code. Assume this code forms index.php and the client enters in the same URL every time to access index.php. Here's the code:
<?php
$output="<p>This is a test HTML page to be encoded at a different compression level every time</p>";
$compressed=gzencode($output,rand(1,9));
echo $compressed;
?>
I mean If its feasible and won't wreck my time-to-first-byte too much, I'd rather take this method than to force users to install certificates just to run my site over HTTPS.
More posts by @Sent6035632
1 Comments
Sorted by latest first Latest Oldest Best
Data compressed with gzip contain all the information needed to decompress the data. This means an attacker can simply decompress the data, same as the browser. So this is no more secure than plain text. And the compression level in gzip is actually irrelevant for decompression since it only says how much efforts will be done in finding common pattern in the input to get the best compression ratio.
raw compressed data (which to humans is garbage)
It does not matter if it looks like garbage for most humans. A technical person looking at the traffic will easily see that these are compressed data because the HTTP response actually says this ("Content-Encoding: gzip", without this header the browser will not decompress it) and the data contain the typical gzip header.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.