<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
One thing I've been meaning to follow up on: The spec currently says
"
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
The ruleset database will be served as a ZIP file." I mentioned that
Content-Encoding: gzip at the HTTP level would be simpler and offer
similar compression. Yan's objection was that this could enable the
BREACH attack. However, the BREACH attack only applies when there is
both user-controllable content and secret content returned from a
given URL. The ruleset database has neither.<br>
</body>
</html>