Questions tagged [compression]
the act of compression reduces the size of the file(s) being compressed by encoding information and eliminating statistical redundancy.
81 questions
0
votes
2
answers
163
views
Best practice for Open SSL / TLS compression and CRIME
The general consensus on enabling SSL Compression is "don't" because of the CRIME exploit. However, this exploit seems to have been mitigated in 2012.
I want to know:
Should I still avoid ...
- 103
2
votes
1
answer
366
views
Is Error Level Analysis (ELA) in image forensics a reliable indicator for detecting digital modifications?
I'm reading about Error Level Analysis (ELA) in image forensics as means to detect if modifications were made to a photo. ELA is nicely described here: https://fotoforensics.com/tutorial.php?tt=ela. ...
- 7,715
1
vote
1
answer
191
views
Is an API vulnerable to BREACH if HTTP compression is only enabled for endpoints that are authenticated using bearer tokens?
Let's assume an API returns sensitive information (e.g. medical or financial) to authenticated users only.
In some circumstances responses may include information the user supplied in the request (e.g....
- 13
2
votes
4
answers
2k
views
HTTPs compression, CSRF and mobile apps
I have a backend for a mobile application that has to serve large JSON responses from time to time, the transfer would be greatly helped by enabling compression, especially when the user has bad ...
- 123
1
vote
2
answers
452
views
How does malware work when compressed?
I have read up on compressed folders of file types such as .zip, .rar and .7zip being the malicious file itself (excluding cases such as an .exe file being disguised as a .zip file etc...), only ...
1
vote
1
answer
348
views
Fuzzy hash of a file
Could someone please explain this to me: When you use a fuzzy hash algorithm (ssdeep, tlsh, sdhash... or any other) to calculate the hash value of a file, does it calculate the hash based on the whole ...
- 55
24
votes
2
answers
6k
views
Is compression mandatory with TLS?
I've had a look within the official TLS specification but I cannot see any mention of this. Does TLS allow compression to be disabled? Or is it mandatory?
- 341
1
vote
1
answer
173
views
Does filesystem compression aid cryptanalysis?
I use LUKS to encrypt all sensitive data on my computer. If I switch to using a filesystem with on-the-fly data compression such as ZFS, should I use its compression feature together with LUKS? Does ...
- 43
0
votes
1
answer
3k
views
Gzip only request body of HTTPS request security BREACH?
I'm not an expert of security.
I heard it's not recommended to enable GZIP compression for HTTPS requests, that would open a security issue (see SO answer: https://stackoverflow.com/a/4063496/17307650 ...
- 135
5
votes
0
answers
1k
views
Protection against JPEG compression bombs
There is a well-known threat named compression bombs. Such image formats as PNG and JPEG use compression methods, and therefore and in theory PNG/JPEG images might be a compression-bomb.
I've found an ...
- 63
0
votes
1
answer
374
views
Any risk on viewing the content of a RAR file without extracting it?
lets say I have a rar file that has a bunch of images inside. Is there any risk of opening the image inside the rar without extracting the entire file?
8
votes
1
answer
888
views
How sensitive are acoustic side-channels to compression with a narrowband codec?
Assume sensitive audio emissions from a mechanical keyboard. These audio emissions are often sufficient to reconstruct the actual key presses that generated the sound. If the audio is compressed using ...
- 67.8k
5
votes
2
answers
3k
views
Compression and Encryption against security issues
I'm having a hard time knowing whether the following setup is vulnerable to CRIME/BREACH type attacks (which target HTTPS).
I am running a Wireguard VPN that tunnels VXLAN protocol, using ChachaPoly20 ...
- 153
1
vote
0
answers
485
views
3
votes
3
answers
946
views
Does compression level influence security of encryted 7z files?
I want to archive some GB of sensitive data. It is to be stored on an external drive that also includes non sensitive data so i don't want to encrypt the whole drive. For that purpose i want to use ...
- 33
0
votes
1
answer
227
views
Obscure compression before encrypting
Assuming whatever encryption algorithm used was designed to support compression without any information leakage, would there be any reason not to use some custom compression algorithm to add obscurity ...
5
votes
3
answers
2k
views
Does TLS 1.3 mitigate the BREACH vulnerability?
Section 5.4 of the TLS 1.3 specification describes record padding.
One of the mitigations for BREACH is to add random padding.
Therefore, I'm wondering:
Does TLS 1.3 require random record padding? I'...
- 151
13
votes
1
answer
3k
views
Does it weaken the encryption of SSH to use compression?
When using compression on openssh (a la ssh -C ...), does this reduce entropy and make the tunnel traffic more vulnerable to cryptanalysis? Is compression an option I should disable server-side for ...
- 431
3
votes
1
answer
1k
views
What steganographic techniques can I use in images that survive lossy compression?
Learning a bit about IT security, a segment of the material was the basics of steganography - specifically, hiding information in the lowest significance bits of images, and converting images into ...
- 193
6
votes
2
answers
5k
views
How are websites actually mititating BREACH? (HTTPS + compression)
After reading some popular questions and answer on this website about BREACH, the only advice seems to be: don't compress anything that might contain secrets (including CSRF tokens). However, that ...
- 16k
1
vote
1
answer
2k
views
Lost RAR password, is there any way to access my data? [closed]
I lost my winrar password of my file. I need to access it. Is it possible? If yes, how?
- 21
2
votes
1
answer
167
views
What method to compress English by hand has the highest compression ratio? [closed]
Solitaire is a method for encrypting messages by hand. Reading it though, the only advantage the Solitaire has over a one time pad is that it can encrypt longer messages. It requires a new, random key ...
- 2,947
8
votes
1
answer
4k
views
How to protect websites against ZIP bombs and reference bombs?
A Zip bomb (concept here) seems quite a "smart" and easy vulnerability to websites where uploading ZIP files is allowed. Such sites are under a threat (at least to make some degree of damage to them) -...
- 2,747
0
votes
1
answer
153
views
Can a compressed archive be constructed in a way to extract into system folders?
Using compression utilities, is it possible to create an archive that when extracted, will place certain files in certain areas on a users PC?
For example, suppose if I wrote a virus or a malicious ...
user192946
0
votes
1
answer
799
views
Which HTTP Compression should I use (and how?)
I know that there are multiple HTTP Compression tools out there.
In order to entirely prevent a site from being susceptible to BREACH, which HTTP Compression algorithm should I use?
Also, how ...
- 144
3
votes
1
answer
309
views
How does CRIME work against cookies
Wiki on CRIME:
CRIME <...> is a security exploit against secret web cookies
RFC 2616 on Content-Encoding:
The Content-Encoding entity-header <...> when present, its value indicates what ...
- 289
-5
votes
3
answers
3k
views
Which encryption algorithm allows for the less output data than source data? [duplicate]
I am trying to figure out how to get my source information to compile smaller using encrypted text. This could potentially change the game in transferring large-chunked data and offer security at the ...
- 101
1
vote
1
answer
698
views
What is the algorithm for ARJ encrypted files?
I came across some password protected ARJ files.
What is the algorithm for ARJ encrypted files ? How to decrypt them ?
- 180
0
votes
2
answers
692
views
Best way to encrypt user data stored in xml?
First of all I am not very familiar with the world of encryption so please be nice.
I have got a data that should store in an xml using NetDataContractSerializer. This xml file gets the size of from ...
- 1
2
votes
0
answers
225
views
BREACH attack against SPA
I have a single page application that is hosted at example.com that relies on api.example.com. The SPA sends user credentials (JWT token) in authorization header for every request.
Let's suppose ...
- 21
15
votes
1
answer
1k
views
JPEG artifacts leaking information about redacted contents
It was mentioned that JPEG should not be used between image creation and redaction of sensitive contents, because compression artifacts around the redacted area may leak information. Given how this ...
- 67.8k
3
votes
2
answers
794
views
SSL/TLS compression attacks on mail servers (smtp)
Currently, we know few compression attacks on the SSL/TLS protocol (such as Crime or Breach). I wonder for few days if these attacks are practicable on a mail server (smtp). Is CRIME attack ...
- 33
2
votes
1
answer
122
views
Application control of HTTP content compression [closed]
How does an application control whether or not its http content is compressed? I am not talking about TLS level compression, but rather about the compression of https:// response bodies only.
In ...
- 51
0
votes
2
answers
707
views
How can I select a compression utility that is popular and secure enough
In a previous posting on Which is a safe way to transfer a copy of a sensitive document?, I have received suggestions to compress and encrypt an attachment file using the options of utilities such as ...
- 955
0
votes
0
answers
105
views
Detectability of packing files in Windows 10
I follow the tutorial here: https://www.youtube.com/watch?v=g0RmclTe7Lo
to pack calc.exe in windows 10 at
C:\Windows\System32\calc.exe
But I get the following error:
What's the problem?
It seems ...
- 263
4
votes
2
answers
1k
views
Encryption and Compression
I've read that encryption produces random data and compression works by removing patterns in data and as a consequence, encrypted data has high entropy. I'm a bit confused, though.
The reason I'm ...
- 143
18
votes
8
answers
17k
views
Are 7-Zip password-protected split archives safe against hackers when they are password-protected a couple of times?
Imagine I wish to upload my sensitive personal information (photos, document scans, list of passwords, email backups, credit card information, etc.) on Google Drive (or any other cloud service).
I ...
- 239
4
votes
2
answers
5k
views
What are some possible uses of a zip bomb?
This article claims that zip bombs cannot be used today as modern systems are too smart for it and no victim is going to slowly unpack terrabytes of data so zip bombs are basically useless.
Is this ...
- 41
11
votes
1
answer
3k
views
Brotli compression for HTTPS
It appears that Chrome, Firefox, and soon Edge, support the new Brotli compression algorithm over HTTPS only.
I can't find anything on whether this new compression algorithm is susceptible to the ...
- 2,308
4
votes
1
answer
533
views
Are there valid reasons for compressed files (zip, gzip, etc.) to spoof file size?
Zip files, GZip files, and likely others, include information about the contained file, including the uncompressed size of the file. However, when extracting these files the number is meaningless as ...
- 141
0
votes
2
answers
485
views
What are the implications of reversing hashes
Today it was posited to me that
sha256 has a domain large enough to never encounter a collision and
that because it is such a large domain and given that a reverse function was created for it, that ...
- 101
1
vote
0
answers
901
views
Is it possible to obfuscate binaries with UPX or similar software?
Warez scene groups often compress their binary executables using UPX or similar software.
I've heard somewhere that they do this to obscure the algorithms they use from other groups, but I find this ...
- 111
1
vote
4
answers
560
views
Why browsers don't support TLS without encryption and deprecate compression for public data
These days we observes trend to use HTTP over TLS (HTTPS) for all communication. It recommend all weighty Internet service vendors and that claims to good practice. But TLS suite have 3 options for ...
- 11
3
votes
1
answer
143
views
.NET extraction and storage of compression files concerns
I have been provided a specification for an enhancement to one of my companies software products to allow extraction of uploaded compression files (just Zip currently) that will save and migrate the ...
- 535
1
vote
0
answers
297
views
The RAR archive format and authenticity verification [closed]
The changelog for RAR 5 mentions the following:
Features removed:
authenticity verification feature did not provide the required level of reliability and was removed;
...
I didn't find any ...
- 633
1
vote
2
answers
1k
views
Various questions about file compression and encryption regarding hacking (zip, rar, 7z) [closed]
So I'm curious about a few aspects of compressed files (Zip, rar, 7z, etc), and how they impact hack-ability. There is enough on this subject that I'm not clear about (since this isn't a career of ...
- 19
0
votes
1
answer
3k
views
Base64 or HEX encoded? [closed]
I have this string encoded and compressed (link to full string)
...
- 3
2
votes
1
answer
595
views
Decryping a RAR file with same password
I came across a problem very similar recently and wondered if anyone knew how to solve this.
So say for example I have an RAR archive called archiveA.rar and a password to protect it the password is ...
- 23
8
votes
3
answers
4k
views
Encrypted password inside compressed archive
File compression utilities like Winrar or ZIP or 7zip encrypt the password and store it inside the archive.
How safe is that? I mean you are giving away the archive with the password inside,it's not ...
- 2,473
3
votes
3
answers
278
views
is g-zipping assets a security concern?
I recently noticed that the assets sent to clients aren't gzipped or minified on either my companies intranet or its public facing website.
I brought this to the attention of the networking ...
- 187