Re: [TLS] Confirmation of Consensus on Removing Compression from TLS 1.3

mrex@sap.com (Martin Rex) Wed, 26 March 2014 22:02 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 067F11A03CF for <tls@ietfa.amsl.com>; Wed, 26 Mar 2014 15:02:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.552
X-Spam-Level:
X-Spam-Status: No, score=-6.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NsyHFQ60nmka for <tls@ietfa.amsl.com>; Wed, 26 Mar 2014 15:02:05 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 440021A0223 for <tls@ietf.org>; Wed, 26 Mar 2014 15:02:05 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id s2QM20dO014001 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 26 Mar 2014 23:02:00 +0100 (MET)
In-Reply-To: <2E8232FA-CFDF-42AA-A405-0B080EFE0135@rhul.ac.uk>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
Date: Wed, 26 Mar 2014 23:02:00 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20140326220200.6A9781AC7D@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/23GNcEc1MJN68wchDAqXrGHW5zQ
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Confirmation of Consensus on Removing Compression from TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Mar 2014 22:02:07 -0000

Paterson, Kenny wrote:
> 
> Really? I assume you know about CRIME??

Yes, I do.  Similar to BEAST, it is *NOT* an attack.
It is a pretty boring demonstration of the principle of operation
of querying an encryption oracle (BEAST) or compression oracle (CRIME).

None of the alleged "fixes" against BEAST and CRIME addresses the
real vulnerability.  Even with compression disabled and TLSv1.1+ or
AEAD cipher suites, the vulnerability is WIDE OPEN.  The attackers
code could, rather than performing a demonstration of a boring
principle, submit any attacker-desired nefarious request to the
server, the Browser will blissfully insert the authentication-credentials
into that nefarious request, and the server will blissfully execute
the request.  No matter what fancy stuff the TLS WG puts into TLSv1.3,
the attack will continue to work as long as the browser keeps doing
the stupid stuff: volutarily and blissfully inserting authentication
credentials into requests that the browser performs on the attackers
behalf.


-Martin