Network Forensics Blog » Blog Archive » Network Forensics and Reversing Part 1 – gzip web content, java malware, and a little JavaScript

Network Forensics Blog » Blog Archive » Network Forensics and Reversing Part 1 – gzip web content, java malware, and a little JavaScript.

Something I’ve found unsettling for some time now is the drastically increased usage of gzip as a Content-Encoding transfer type from web servers. By default now, Yahoo, Google, Facebook, Twitter, Wikipedia, and many other organizations compress the content they send to your users. From that list alone, you can infer that most of the HTTP traffic on any given network is not transferred in plaintext, but rather as compressed bytes.

The post goes on to claim that most network security solutions are blind to gzipped web traffic.

While I have not done a survey of “most” network security solutions, I can say for sure that Palo Alto Network does automatically decompress gzipped content in hardware and then inspect and apply policies.