Re: [TLS] TLS 1.3 - Support for compression to be removed

Stephen Farrell <> Tue, 22 September 2015 19:29 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 6FD871ACD9D for <>; Tue, 22 Sep 2015 12:29:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BUhgwwn44bDS for <>; Tue, 22 Sep 2015 12:29:14 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3E13E1B2C6A for <>; Tue, 22 Sep 2015 12:29:12 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9A27BBE7B; Tue, 22 Sep 2015 20:29:09 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9YUa4M5eBvBM; Tue, 22 Sep 2015 20:29:08 +0100 (IST)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id A4E1DBE5C; Tue, 22 Sep 2015 20:29:07 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=mail; t=1442950148; bh=N9YuJ3vcjQW59B4jTIDV2lHD/OcaCknof+dSZcm0xQg=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=x6H9zqxEyqVUIXoyE/ynYfJU5QHDuvmDfuydvn71pvX/+BkoIVcaqlWme9aCd9lQR nWRhSs/tOsh6ZHdb9LDZPmliXbEqqu+f3nNQThUUokNczxJEGq+EZIZXPtyESVxNX4 wQwmE7904zDtwB9/fcXtmPBkP/Q4RX+0ySbmSM4s=
To: Yoav Nir <>
References: <> <> <> <>
From: Stephen Farrell <>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <>
Date: Tue, 22 Sep 2015 20:29:07 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <>
Cc: "" <>, Simon Josefsson <>
Subject: Re: [TLS] TLS 1.3 - Support for compression to be removed
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 22 Sep 2015 19:29:15 -0000

On 22/09/15 19:32, Yoav Nir wrote:
>> On Sep 22, 2015, at 8:35 PM, Stephen Farrell <> wrote:
>> On 22/09/15 17:23, Tony Arcieri wrote:
>>> But an unsafe feature shouldn't be kept in
>>> TLS just because some protocols want to do unsafe things and are too lazy
>>> to implement their own compression.
>> Compression does have issues clearly, but it's not correct to describe
>> people wanting TLS to compress as lazy. They're rather looking for the
>> same features that TLS has offered for a couple of decades. So if there
>> were a way to help them, that'd be good. And if not, the onus I think
>> is on us in this WG to clearly explain why we're removing that feature
>> in TLS1.3.
>> That doesn't have to be text in the TLS1.3 specification but I would
>> guess the question may keep coming up, so documenting the answer in
>> some archival form (such as an RFC:-) might be a good plan.
> Doesn’t this count?

It does count, but doesn't cover TLS1.3. And it's when TLS1.3 hits the
shelves that we'll maybe get more and more folks waking up to the fact
that we've removed functionality. (That's not so different to what seems
to be happening with HTTP/2 and client-auth maybe.)

But yes, text along those lines is what'd be needed. Depending on the
overall scope, one might want more self-contained text and less of a
dependency on references, not sure.


> 3.3.  Compression
>    In order to help prevent compression-related attacks (summarized in
>    Section 2.6 of [RFC7457]), implementations and deployments SHOULD
>    disable TLS-level compression (Section 6.2.2 of [RFC5246]), unless
>    the application protocol in question has been shown not to be open to
>    such attacks.
>    Rationale: TLS compression has been subject to security attacks, such
>    as the CRIME attack.
> (From RFC 7525)
> Sure, we could leave compression in the spec, and recommend that HTTP MUST NOT use it while NNTP MAY. 
> A protocol for multiple use-cases can be either one size fits all, or else have a bunch of knobs for the different uses. I prefer the one size fits all approach.
> More specific to compression: people had been using TLS (and SSL) to encrypt HTTP for over two decades before the CRIME attack. That’s how long it took to realize that it is dangerous for HTTP. Are people that sure that a similar issue doesn’t exist for the much less analyzed NNTP?
> Yoav