Re: New I-D: Security Considerations Regarding Compression Dictionaries

"Soni L." <fakedme+http@gmail.com> Wed, 30 October 2019 21:21 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08A49120B16 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 30 Oct 2019 14:21:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.75
X-Spam-Level:
X-Spam-Status: No, score=-2.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v0rdQi_ol1HR for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 30 Oct 2019 14:21:08 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D3CD120A9D for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 30 Oct 2019 14:21:07 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1iPvMM-00044i-CE for ietf-http-wg-dist@listhub.w3.org; Wed, 30 Oct 2019 21:18:30 +0000
Resent-Date: Wed, 30 Oct 2019 21:18:30 +0000
Resent-Message-Id: <E1iPvMM-00044i-CE@frink.w3.org>
Received: from mimas.w3.org ([2603:400a:ffff:804:801e:34:0:4f]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <fakedme+http@gmail.com>) id 1iPvMK-00043n-Cz for ietf-http-wg@listhub.w3.org; Wed, 30 Oct 2019 21:18:28 +0000
Received: from mail-qt1-x82e.google.com ([2607:f8b0:4864:20::82e]) by mimas.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <fakedme+http@gmail.com>) id 1iPvMI-0002Ps-Ca for ietf-http-wg@w3.org; Wed, 30 Oct 2019 21:18:27 +0000
Received: by mail-qt1-x82e.google.com with SMTP id o11so291955qtr.11 for <ietf-http-wg@w3.org>; Wed, 30 Oct 2019 14:18:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:subject:to:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=czbj6YAp+TF8r4/3pFczWHs9/qec+d/4J7WdktrZy3s=; b=i2oD8rkVKNfCpIJx7+kRitQDolD+fqAaDaO03ETqPzqrYWX78cR45drZWKOp/61Y2D eiCScvi4QA0c1nlkVFMCrjjt6omJ7vZwqteY6LslwxIcglQXNWgfQyTUhE8jGNyt3jLQ hixvhuwZ9tdKTQ4GkmAK17RVhvgy0CuDmW8vq9FJdbfKHYadU7mkYpHixGUjIwSVFSVa HlbLgHobl36+RsFQBlVNv7ryWYjlKXn/NtgEX7HVB8pPcOA2K9v0p0klrH65NqpAovWe nqX454TsFGMa0XSgo06QFBP4SfvPB2A953qkqbmo97yJ8Y4HW8ee2mJvofuglP/nolQC uzJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:subject:to:references:from:message-id :date:user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=czbj6YAp+TF8r4/3pFczWHs9/qec+d/4J7WdktrZy3s=; b=LXc1mq3eQ1fIz+6RB+3YclvkqXv8WnCa10Jzp0UWhj6UqjXBFrCY+bs6nBjsonqKkH sCWLChUQdqs4MVY0PCcuwi1gU8imfY+TCSpb+fSoMXw2M2kUvFLjjFibq4FmUzmV4fQZ uY13LxUwC6WBLc8pPbKhLNIUa3J17Pmii7ZyDU+U4+omib6K6s3OY318WMolAFv22WyO Cfb1/5IlHQWpZm4UiHzaUI618d0jnpT9rruMD1jTb6KetcQssPqrtpTd1lKyvouFMNnl g+RJjM1A2BLQg01NXBbRA1ZFbbVaFzWOF1RoxOK/DyLOhtfDL9IK/KjjSmhaSSt++WW3 i8qQ==
X-Gm-Message-State: APjAAAUJxjaqicdaNGjNBmwv12aYKTc3gVAvQO27vJc4uk/nXOV+tJu8 gLpM+8P3pUSkQ4eS549PkvZ7+odQWYQ=
X-Google-Smtp-Source: APXvYqz6hxs7Z41A2pbTOlR2RgZZj9UmukTGnUyErDkmar4obdyCDaPcNgFJGO1Kbrky18v9DRDCgw==
X-Received: by 2002:a0c:edc6:: with SMTP id i6mr1216920qvr.198.1572470304397; Wed, 30 Oct 2019 14:18:24 -0700 (PDT)
Received: from ?IPv6:2804:431:d77c:258:2e0:4bff:fe37:ec7? ([2804:431:d77c:258:2e0:4bff:fe37:ec7]) by smtp.googlemail.com with ESMTPSA id h185sm751865qkc.7.2019.10.30.14.18.23 for <ietf-http-wg@w3.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 30 Oct 2019 14:18:23 -0700 (PDT)
Sender: "Soni L." <fakedme@gmail.com>
To: ietf-http-wg@w3.org
References: <20988909-6e4e-ea45-139a-ca403a7433eb@felixhandte.com> <CAN2QdAGX0vtBSuUBS_HYsoTuTmmO=-LX_w9OizG+v6jqFMtLTA@mail.gmail.com> <f99d6b86-72af-a019-ae8b-a5673adfc814@felixhandte.com> <c5e37168-b958-8b13-ab97-f9a7f5352b24@gmail.com> <0a7e4dad-d86b-ebf5-6c7f-781afba3af3e@felixhandte.com>
From: "Soni L." <fakedme+http@gmail.com>
Message-ID: <11789461-c93b-fd75-8054-467889cdfe91@gmail.com>
Date: Wed, 30 Oct 2019 18:18:20 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.0
MIME-Version: 1.0
In-Reply-To: <0a7e4dad-d86b-ebf5-6c7f-781afba3af3e@felixhandte.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Received-SPF: pass client-ip=2607:f8b0:4864:20::82e; envelope-from=fakedme+http@gmail.com; helo=mail-qt1-x82e.google.com
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1iPvMI-0002Ps-Ca 1e5e1e8436c7f5e039ecb3d121d410a0
X-Original-To: ietf-http-wg@w3.org
Subject: Re: New I-D: Security Considerations Regarding Compression Dictionaries
Archived-At: <https://www.w3.org/mid/11789461-c93b-fd75-8054-467889cdfe91@gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37082
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

(sorry, I seem to have made a mistake when posting this/replying the 
first time around.)

On 2019-10-30 1:15 p.m., W. Felix Handte wrote:
> On 10/30/19 5:43 AM, Soni L. wrote:
>> So, what you're saying, is that this wouldn't be an issue if we were 
>> using public-key-based authentication and session tokens?
>>
>> Like this? https://soniex2.autistic.space/posts/2019/06/uweb.xhtml 
>> (or, perhaps, this? https://awoo.space/@SoniEx2/102972533369915352 )
>
> Secret tokens (passwords, keys, cookies, etc.) are likely the most 
> important kind of content to protect, but also definitely not the only 
> kind. Message bodies themselves may contain secrets worth attacking 
> (credit card numbers).
>
Ah. Yeah. I forgot about that. .-.

(altho, probably in my ideal world my computer would have an NFC or 
chip-and-pin reader and the whole thing would be end-to-end encrypted 
between the parties. I don't get why we don't have those yet. but, 
anyway, I digress.)