On Sunday, October 04, 2015 02:48:19 pm Jeffrey Walton wrote: > If I am reading things correctly: the group has effectively > encountered a security problem, deemed it to be too hard for them, and > then pushed it into another layer where folks are even less equipped > to deal with it. Is that correct? > > I might be missing something, but I don't believe the "problems > created by compression" have gone away. Rather, they have been moved > around so the risk remains. The underlying problem still exists > because the group responsible for providing those security services > have not addressed them.
TLS & SPDY + HTTP compression was broken due to CRIME. The fix was to disable it, and then HTTP/2 introduced HPACK to compress headers safely. Yes, the security issue has been moved around, but to a place that can actually fix it properly. There is nothing TLS could do to implement a fix like HPACK here. I don't claim this is the only way to fix this problem, but it is a straightforward one and the one that is being done. Dave _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
