On Fri 2015-09-18 15:47:27 -0400, "Salz, Rich" <rs...@akamai.com> wrote:
> Can NNTP and HOB/VPN stay on TLS 1.2 which does have the compression
> feature you need? What TLS 1.3 feature is compelling here?
I think this line of argument is worrisome -- we should try to avoid
leaving behind protocols that need TLS, if we ever want to be able to
deprecate TLS 1.2 the way we've (finally) deprecated SSLv3.
That said, i think there are multiple approaches for NNTP and HOB/VPN
that don't involve using compression at the TLS layer.
For instance, with NNTP, if they're certain that CRIME isn't a risk for
their use case, they could introduce a STARTCOMPRESSION verb by analogy
to STARTTLS. If the only reason they're using TLS in the first place is
for compression, this would be a simpler and less-risky approach in
terms of software dependencies as well. I don't know enough about HOB's
use of TLS to know whether they could shim their own compression layer
in between the VPN traffic or not.
The TLS WG knows that compression represents a serious risk to encrypted
traffic, especially in situations like browsers where an adversary can
direct a peer to initiate protocol action. Compression itself also
represents added complexity for protocol analysis.
I think we should remove compression and we should also explicitly warn
users of the protocol about the risks of combining compression with TLS.
--dkg
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
