On 2014-04-07 00:05, Daniel Kahn Gillmor wrote: > It sounds to me like you might be setting up some sort of automated > encrypted JSON message-passing scheme. If so, you should be aware > that if any of the encrypted JSON could be controlled by an > attacker, that attacker could possibly learn information about the > other parts of the message that are not controlled by them when > using compression, just by inspecting the size of the traffic.
Thanks for the heads-up. If I understand you (after some further reading on CRIME attacks), this only is an issue in the event that a 3rd party is injecting content into the requests and then able to see the resulting encrypted data. In my use-case, the encrypting party is in control of the entire message (modulo some metadata controlled by my wrapping app, including nothing from other parties) so such a CRIME attack would have to be self-inflicted, and yield unsurprising results because it would reveal message content they already possess. Thanks, -Tim _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
