On Wed, Mar 16, 2016 at 12:45 PM, Tom Ritter <t...@ritter.vg> wrote: > If a site wants to actively do something to make length-hiding harder > - to the point where they're go in and prefer CBC ciphersuites - why > not just add 5 lines of code to a header template, to insert some > random data in a HTML comment? >
Length hiding is a game of costs, doing more can always help. But one of the benefits of being able to do it at the TLS layer is that it also helps you hide the length of the request. I'm one of the biggest proponents for padding in TLS 1.3... and hope > to see it used to make deployments of length-hiding and traffic > analysis harder, so the HTML comment or similar tricks would be > easier, more robust, and not require site modifications. But I don't > think going back to CBC mode is a good idea. > Why? -- Colm
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
