[saag] New I-D: Security Considerations Regarding Compression Dictionaries
"W. Felix Handte" <w@felixhandte.com> Thu, 31 October 2019 21:38 UTC
Return-Path: <w@felixhandte.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DFB812013A for <saag@ietfa.amsl.com>; Thu, 31 Oct 2019 14:38:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.499
X-Spam-Level:
X-Spam-Status: No, score=-0.499 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y68AEJ4l2x5W for <saag@ietfa.amsl.com>; Thu, 31 Oct 2019 14:38:14 -0700 (PDT)
Received: from mail.felixhandte.com (felixhandte.com [54.172.180.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 126AE120074 for <saag@ietf.org>; Thu, 31 Oct 2019 14:38:14 -0700 (PDT)
Received: from [172.30.220.235] (unknown [163.114.130.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.felixhandte.com (Postfix) with ESMTPSA id 5BD1B3005E for <saag@ietf.org>; Thu, 31 Oct 2019 21:38:13 +0000 (UTC)
To: saag@ietf.org
From: "W. Felix Handte" <w@felixhandte.com>
Message-ID: <0977c11c-d394-5fc1-e753-8c287e8a5de7@felixhandte.com>
Date: Thu, 31 Oct 2019 17:38:13 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/VPa3hBmGlORb2GCBTKbuelh6HCk>
Subject: [saag] New I-D: Security Considerations Regarding Compression Dictionaries
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Oct 2019 21:38:15 -0000
Hello all, For a year now, I've been discussing in the http wg the possibility of specifying a new content-encoding for http traffic that uses dictionary-based compression. (Dictionary-based compression is a really powerful tool that we've had a lot of success deploying internally at Facebook and that is seeing increasing adoption elsewhere [0].) To make a long story short: this is not a new idea. There have been a number of previous attempts at specifying a better compression scheme for HTTP that relies on external state. Of those proposals, most have met their demise at the hands of security concerns. The common refrain has been that the security implications are not well understood, and that until they are, any dictionary-based compression scheme will be viewed with a great deal of suspicion. Accordingly, I have been working to perform a security analysis of dictionary-based compression in the context of internet protocols, and have just published a draft [1]. Your feedback, thoughts, etc. are greatly appreciated! I will be presenting this at httpbis session 2 in Singapore. It was suggested to me that this work might also be of interest to this group. If it makes sense, I would be happy to present and discuss it in Singapore with the SAAG WG as well. Thanks, Felix [0] https://engineering.fb.com/core-data/zstandard/ [1] https://datatracker.ietf.org/doc/draft-handte-httpbis-dict-sec/
- [saag] New I-D: Security Considerations Regarding… W. Felix Handte