I thought we already decided to remove compression from TLS 1.3. Russ
On Oct 8, 2015, at 10:10 PM, Scott Arciszewski wrote: > Based on CRIME and BREACH we know that this construction is not secure: > > C = encrypt(compress(A || B)) > > If you control B and A contains sensitive information, strlen(C) tells you > information about A. Vice versa if you control A and B contains sensitive > information. > > In the context of a web application, this can lead to the compromise the > contents of HTTP-Only cookies. > > This is known to be safe: C = encrypt(A || B). (No compression.) > > This might be safe: C = encrypt(A || compress(B) ). > > If an application needs to compress data before encryption, it shouldn't be a > Transport Layer protocol's job to do so. > > Compression has no place in Transport Layer Security. Please nix it until we > can, in a provably secure manner, make C = encrypt(compress(A || B)) not leak > information about A when an attacker controls B. > > I await your IACR papers that prove the contrary, or a swift and decisive > vote to kill TLS encryption in 1.3. Further bikeshedding is just embarrassing. > > Just my $0.02. > > Scott Arciszewski > Chief Development Officer > Paragon Initiative Enterprises
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
