The amount of compressed Web traffic is growing rapidly, but the bandwidth-saving option may be causing unintended security risks.
A study commissioned by content-acceleration firm Tarari found that in terms of total bytes, 29% of the Web traffic coming from the 100 most popular sites on the Internet used compression.
John Bromhead, VP of marketing at San Diego-based Tarari, which commissioned ByrneIT and port80 Software to perform the study, said the amount of compression being done surprised everyone involved. "Most of us predicted it would be around 5%," he says.
While compression can save companies money by enabling them to speed delivery of content without adding server power or bandwidth, it may also overload antivirus software on servers handling incoming traffic and could cause other security problems.
"Any time a new technology is put in place, there's the potential for creating some unforeseen security problems," said Josh Daymont, director of research at SecureWorks in Atlanta.
Bromhead has seen first-hand the risks the technology poses. Receiving servers require up to five times as much processing power to decompress files before scanning them and sending them on to a user's browser. As a result, network performance can suffer, prompting some administrators to disable some antivirus functions or develop workarounds.
He cited one Wall Street financial firm whose users were complaining about the pace of Web-page loading. To appease end users, administrators let certain users bypass gateway servers, where enterprise-level antivirus software runs.
"As soon as you do that, even for a single user, that's an accident waiting to happen," Bromhead said.
The fact that Web compression adoption has quietly boomed in recent years is one reason for concern about the security risks, say experts. Among the top firms using compression are Amazon.com, Yahoo and Google, the study found.
SecureWorks' Daymont said the technology may have spread without much thought to the impact. "Many traditional Internet professionals have been too quick to assume that technologies such as this pose no risk," he said.
While compression technology itself is usually sound, the interactions between users' browsers and servers that process the information are where it gets "interesting," Daymont added.
Joon Park, a professor of information studies at Syracuse University, said the real risks of Web compression lie in poorly planned or executed implementation of the technology, not in the tool itself, which he says can "dramatically increase the performance of networks."
"A poor implementation could cause security vulnerabilities," said Park.