From 0555fe4869930c1225ae5b101b3277d5fdbae880 Mon Sep 17 00:00:00 2001
From: Thomas Waldmann <tw@waldmann-edv.de>
Date: Fri, 9 Mar 2018 18:02:57 +0100
Subject: [PATCH] security docs: add about combining compression and encryption

(cherry picked from commit be8913a93c499f4e39c9fb24a72bd478d4efecea)
---
 docs/internals/security.rst | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/docs/internals/security.rst b/docs/internals/security.rst
index 16a0fd092..f785a9591 100644
--- a/docs/internals/security.rst
+++ b/docs/internals/security.rst
@@ -373,3 +373,16 @@ while libssl implements TLS and related protocols.
 The latter is not used by Borg (cf. `Remote RPC protocol security`_, Borg itself does not implement
 any network access) and historically contained most vulnerabilities, especially critical ones.
 The static binaries released by the project contain neither libssl nor the Python ssl/_ssl modules.
+
+Compression and Encryption
+==========================
+
+Combining encryption with compression can be insecure in some contexts (e.g. online protocols).
+
+There was some discussion about this in `github issue #1040`_ and for Borg some developers
+concluded this is no problem at all, some concluded this is hard and extremely slow to exploit
+and thus no problem in practice.
+
+No matter what, there is always the option not to use compression if you are worried about this.
+
+.. _github issue #1040: https://github.com/borgbackup/borg/issues/1040