Re: New I-D: Security Considerations Regarding Compression Dictionaries

"Soni L." <> Wed, 30 October 2019 21:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 08A49120B16 for <>; Wed, 30 Oct 2019 14:21:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.75
X-Spam-Status: No, score=-2.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id v0rdQi_ol1HR for <>; Wed, 30 Oct 2019 14:21:08 -0700 (PDT)
Received: from ( [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3D3CD120A9D for <>; Wed, 30 Oct 2019 14:21:07 -0700 (PDT)
Received: from lists by with local (Exim 4.89) (envelope-from <>) id 1iPvMM-00044i-CE for; Wed, 30 Oct 2019 21:18:30 +0000
Resent-Date: Wed, 30 Oct 2019 21:18:30 +0000
Resent-Message-Id: <>
Received: from ([2603:400a:ffff:804:801e:34:0:4f]) by with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <>) id 1iPvMK-00043n-Cz for; Wed, 30 Oct 2019 21:18:28 +0000
Received: from ([2607:f8b0:4864:20::82e]) by with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <>) id 1iPvMI-0002Ps-Ca for; Wed, 30 Oct 2019 21:18:27 +0000
Received: by with SMTP id o11so291955qtr.11 for <>; Wed, 30 Oct 2019 14:18:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=sender:subject:to:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=czbj6YAp+TF8r4/3pFczWHs9/qec+d/4J7WdktrZy3s=; b=i2oD8rkVKNfCpIJx7+kRitQDolD+fqAaDaO03ETqPzqrYWX78cR45drZWKOp/61Y2D eiCScvi4QA0c1nlkVFMCrjjt6omJ7vZwqteY6LslwxIcglQXNWgfQyTUhE8jGNyt3jLQ hixvhuwZ9tdKTQ4GkmAK17RVhvgy0CuDmW8vq9FJdbfKHYadU7mkYpHixGUjIwSVFSVa HlbLgHobl36+RsFQBlVNv7ryWYjlKXn/NtgEX7HVB8pPcOA2K9v0p0klrH65NqpAovWe nqX454TsFGMa0XSgo06QFBP4SfvPB2A953qkqbmo97yJ8Y4HW8ee2mJvofuglP/nolQC uzJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:sender:subject:to:references:from:message-id :date:user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=czbj6YAp+TF8r4/3pFczWHs9/qec+d/4J7WdktrZy3s=; b=LXc1mq3eQ1fIz+6RB+3YclvkqXv8WnCa10Jzp0UWhj6UqjXBFrCY+bs6nBjsonqKkH sCWLChUQdqs4MVY0PCcuwi1gU8imfY+TCSpb+fSoMXw2M2kUvFLjjFibq4FmUzmV4fQZ uY13LxUwC6WBLc8pPbKhLNIUa3J17Pmii7ZyDU+U4+omib6K6s3OY318WMolAFv22WyO Cfb1/5IlHQWpZm4UiHzaUI618d0jnpT9rruMD1jTb6KetcQssPqrtpTd1lKyvouFMNnl g+RJjM1A2BLQg01NXBbRA1ZFbbVaFzWOF1RoxOK/DyLOhtfDL9IK/KjjSmhaSSt++WW3 i8qQ==
X-Gm-Message-State: APjAAAUJxjaqicdaNGjNBmwv12aYKTc3gVAvQO27vJc4uk/nXOV+tJu8 gLpM+8P3pUSkQ4eS549PkvZ7+odQWYQ=
X-Google-Smtp-Source: APXvYqz6hxs7Z41A2pbTOlR2RgZZj9UmukTGnUyErDkmar4obdyCDaPcNgFJGO1Kbrky18v9DRDCgw==
X-Received: by 2002:a0c:edc6:: with SMTP id i6mr1216920qvr.198.1572470304397; Wed, 30 Oct 2019 14:18:24 -0700 (PDT)
Received: from ?IPv6:2804:431:d77c:258:2e0:4bff:fe37:ec7? ([2804:431:d77c:258:2e0:4bff:fe37:ec7]) by with ESMTPSA id h185sm751865qkc.7.2019. for <> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 30 Oct 2019 14:18:23 -0700 (PDT)
Sender: "Soni L." <>
References: <> <> <> <> <>
From: "Soni L." <>
Message-ID: <>
Date: Wed, 30 Oct 2019 18:18:20 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Received-SPF: pass client-ip=2607:f8b0:4864:20::82e;;
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1iPvMI-0002Ps-Ca 1e5e1e8436c7f5e039ecb3d121d410a0
Subject: Re: New I-D: Security Considerations Regarding Compression Dictionaries
Archived-At: <>
X-Mailing-List: <> archive/latest/37082
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

(sorry, I seem to have made a mistake when posting this/replying the 
first time around.)

On 2019-10-30 1:15 p.m., W. Felix Handte wrote:
> On 10/30/19 5:43 AM, Soni L. wrote:
>> So, what you're saying, is that this wouldn't be an issue if we were 
>> using public-key-based authentication and session tokens?
>> Like this? 
>> (or, perhaps, this? )
> Secret tokens (passwords, keys, cookies, etc.) are likely the most 
> important kind of content to protect, but also definitely not the only 
> kind. Message bodies themselves may contain secrets worth attacking 
> (credit card numbers).
Ah. Yeah. I forgot about that. .-.

(altho, probably in my ideal world my computer would have an NFC or 
chip-and-pin reader and the whole thing would be end-to-end encrypted 
between the parties. I don't get why we don't have those yet. but, 
anyway, I digress.)