Re: New I-D: Security Considerations Regarding Compression Dictionaries

"W. Felix Handte" <w@felixhandte.com> Wed, 30 October 2019 16:18 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 777E81208CB for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 30 Oct 2019 09:18:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.65
X-Spam-Level:
X-Spam-Status: No, score=-2.65 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kBvCUoD_dS50 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 30 Oct 2019 09:18:16 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91A771208AF for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 30 Oct 2019 09:18:16 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1iPqd7-00024c-4b for ietf-http-wg-dist@listhub.w3.org; Wed, 30 Oct 2019 16:15:29 +0000
Resent-Date: Wed, 30 Oct 2019 16:15:29 +0000
Resent-Message-Id: <E1iPqd7-00024c-4b@frink.w3.org>
Received: from mimas.w3.org ([2603:400a:ffff:804:801e:34:0:4f]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <w@felixhandte.com>) id 1iPqd5-0001XL-91 for ietf-http-wg@listhub.w3.org; Wed, 30 Oct 2019 16:15:27 +0000
Received: from felixhandte.com ([54.172.180.13] helo=mail.felixhandte.com) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <w@felixhandte.com>) id 1iPqd2-0000v8-Cm for ietf-http-wg@w3.org; Wed, 30 Oct 2019 16:15:27 +0000
Received: from [172.30.220.235] (unknown [163.114.130.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.felixhandte.com (Postfix) with ESMTPSA id 74F883000F for <ietf-http-wg@w3.org>; Wed, 30 Oct 2019 16:15:23 +0000 (UTC)
To: ietf-http-wg@w3.org
References: <20988909-6e4e-ea45-139a-ca403a7433eb@felixhandte.com> <CAN2QdAGX0vtBSuUBS_HYsoTuTmmO=-LX_w9OizG+v6jqFMtLTA@mail.gmail.com> <f99d6b86-72af-a019-ae8b-a5673adfc814@felixhandte.com> <c5e37168-b958-8b13-ab97-f9a7f5352b24@gmail.com>
From: "W. Felix Handte" <w@felixhandte.com>
Message-ID: <0a7e4dad-d86b-ebf5-6c7f-781afba3af3e@felixhandte.com>
Date: Wed, 30 Oct 2019 12:15:22 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <c5e37168-b958-8b13-ab97-f9a7f5352b24@gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=54.172.180.13; envelope-from=w@felixhandte.com; helo=mail.felixhandte.com
X-W3C-Hub-Spam-Status: No, score=-3.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1iPqd2-0000v8-Cm 7498a45f62ce8252708c3faa0ccf892c
X-Original-To: ietf-http-wg@w3.org
Subject: Re: New I-D: Security Considerations Regarding Compression Dictionaries
Archived-At: <https://www.w3.org/mid/0a7e4dad-d86b-ebf5-6c7f-781afba3af3e@felixhandte.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37081
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 10/30/19 5:43 AM, Soni L. wrote:
> So, what you're saying, is that this wouldn't be an issue if we were 
> using public-key-based authentication and session tokens?
> 
> Like this? https://soniex2.autistic.space/posts/2019/06/uweb.xhtml (or, 
> perhaps, this? https://awoo.space/@SoniEx2/102972533369915352 )

Secret tokens (passwords, keys, cookies, etc.) are likely the most 
important kind of content to protect, but also definitely not the only 
kind. Message bodies themselves may contain secrets worth attacking 
(credit card numbers).