Description
Default Debian webserver config has https gzip compression disabled for all webservers. We do not touch that as it is the easiest and most reliable mitigation against the BREACH vulnerability (and other http compression attacks). The only other "reliable" way to mitigate against such attacks (and make gzip compression safe) is on the application side.
As we are not currently aware which applications need or provide the required mitigation, we fall back to the safest option. End users can relatively easily enable web compression in the webserver config if they wish - i.e. don't care or are sure that the specific app is safe.
However, following some internal discussion prompted by a post on the website forums, if/when time allows it would be good to explicitly investigate each application we provide and enable gzip compression when safe - on a case-by-case basis.
I think the best way to implement that would be to leave webserver gzip disabled by default and use a whitelist to enable it for applications that already provide mitigation.