[TLS] Compression along with TLS in NNTP
Julien ÉLIE <julien@trigofacile.com> Fri, 10 June 2016 20:43 UTC
Return-Path: <julien@trigofacile.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02DC812D74E for <tls@ietfa.amsl.com>; Fri, 10 Jun 2016 13:43:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.901
X-Spam-Level:
X-Spam-Status: No, score=-0.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FSL_HELO_HOME=1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UbD6cDq3B16q for <tls@ietfa.amsl.com>; Fri, 10 Jun 2016 13:43:10 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp07.smtpout.orange.fr [80.12.242.129]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 229DF12D1B7 for <tls@ietf.org>; Fri, 10 Jun 2016 13:43:08 -0700 (PDT)
Received: from macbook-pro-de-julien-elie.home ([92.170.5.52]) by mwinf5d42 with ME id 58j61t00P17Lgi4038j7iz; Fri, 10 Jun 2016 22:43:07 +0200
X-ME-Helo: macbook-pro-de-julien-elie.home
X-ME-Auth: anVsaWVuLmVsaWVAd2FuYWRvby5mcg==
X-ME-Date: Fri, 10 Jun 2016 22:43:07 +0200
X-ME-IP: 92.170.5.52
To: "tls@ietf.org" <tls@ietf.org>, uta@ietf.org
From: Julien ÉLIE <julien@trigofacile.com>
Organization: TrigoFACILE -- http://www.trigofacile.com/
Message-ID: <b7806285-193d-08f9-6b81-a19d0fdfae2d@trigofacile.com>
Date: Fri, 10 Jun 2016 22:43:06 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.1.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/3eXPzanny9NrRLeMlx9TBA6b6zc>
Subject: [TLS] Compression along with TLS in NNTP
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jun 2016 20:43:12 -0000
Hi all, Last year, in September 2015, we spoke about the removal of TLS-level compression in TLS 1.2. NNTP was relying on this feature provided by previous TLS versions to compress data. We agreed that the right move was to standardize a new NNTP command. It is what we finally did with the COMPRESS extension. Interoperability is proven: two news servers (INN, Cyrus NNTP) and a news client (flnews) have already implemented it. It also works fine with Python nntplib+zlib libraries. Here is the latest version of the draft: https://tools.ietf.org/html/draft-murchison-nntp-compress-03 If you have any comments, please don't hesitate to tell. Especially, I have a question: o How are TLS (and SASL) specific exchanges supposed to be handled? Should it be mentioned in the RFC that they are outside the scope of NNTP compression? (I speak of stuff like TLS handshakes, renegotiations, etc. that can occur after the use of COMPRESS. OpenSSL may use SSL_read/SSL_write on its own, mayn't it? And it does not know that it should compress data...) Here is an extract of the paragraphs dealing with TLS in the draft, so that you can easily see what to comment (wording improvement, missing stuff...). The point of COMPRESS as an NNTP extension is to behave as a transport layer, similar to STARTTLS [RFC4642]. Compression can therefore benefit to all NNTP commands sent or received after the use of COMPRESS. [...] 1.1. About TLS-level Compression Though data compression is made possible via the use of TLS with NNTP [RFC4642], the best current practice is to disable TLS-level compression as explained in Section 3.3 of [RFC7525]. The COMPRESS command will permit to keep the compression facility in NNTP and control when it is available during a connection. Compared to TLS-level compression [RFC3749], NNTP COMPRESS has the following advantages: o COMPRESS can be implemented easily both by NNTP servers and clients. o COMPRESS benefits from an intimate knowledge of the NNTP protocol's state machine, allowing for dynamic and aggressive optimization of the underlying compression algorithm's parameters. o COMPRESS can be activated after authentication has completed thus reducing the chances that authentication credentials can be leaked via for instance a CRIME attack ([RFC7457] Section 2.6). [...] 2.2.2. Description [...] Both the client and the server MUST know if there is a compression layer active (for instance via the previous use of the COMPRESS command or the negotiation of a TLS-level compression [RFC3749]). A client MUST NOT attempt to activate compression or negotiate a TLS layer (for instance via the use of the COMPRESS or STARTTLS [RFC4642] commands) if a compression layer is already active. A server MUST NOT return the COMPRESS or STARTTLS capability labels in response to a CAPABILITIES command received after a compression layer is active, and a server MUST reply with a 502 response code if a syntactically valid COMPRESS or STARTTLS command is received while a compression layer is already active. [...] 6. Security Considerations Security issues are discussed throughout this document. In general, the security considerations of the NNTP core specification ([RFC3977] Section 12) and the DEFLATE compressed data format specification ([RFC1951] Section 6) are applicable here. Implementers should be aware that combining compression with encryption like TLS can sometimes reveal information that would not have been revealed without compression, as explained in Section 6 of [RFC3749]. As a matter of fact, adversaries that observe the length of the compressed data might be able to derive information about the corresponding uncompressed data. The CRIME and the BREACH attacks ([RFC7457] Section 2.6) are examples of such case. In order to help mitigate leaking authentication credentials, this document states in Section 2.2.2 that authentication SHOULD NOT be attempted when a compression layer is active. Therefore, when a client wants to authenticate, compress data, and negotiate a secure TLS layer (without TLS-level compression) in the same NNTP connection, it SHOULD use the STARTTLS, AUTHINFO, and COMPRESS commands in that order. Of course instead of using the STARTTLS command, a client can also use implicit TLS, that is to say it begins the TLS negotiation immediately upon connection on a separate port dedicated to NNTP over TLS. NNTP commands other than AUTHINFO are not believed to divulgate confidential information as far as public Netnews newsgroups and articles are concerned. That is why this specification only adds a restriction to the use of AUTHINFO when a compression layer is active. In case private and confidential newsgroups or articles are accessed, a server SHOULD NOT allow compression, and a client SHOULD NOT attempt to activate compression, for the same reasons as mentioned above in this Section. Implementations MUST support a configuration where compression can be easily disabled. Future extensions to NNTP that define commands conveying confidential data SHOULD ensure to state that they SHOULD NOT be used along with compression. Thanks again for your useful comments! -- Julien ÉLIE « Pourvu que ça dure ! » (Letizia Bonaparte)
- Re: [TLS] [Uta] Compression along with TLS in NNTP Julien ÉLIE
- [TLS] Compression along with TLS in NNTP Julien ÉLIE
- Re: [TLS] [Uta] Compression along with TLS in NNTP Julien ÉLIE
- Re: [TLS] [Uta] Compression along with TLS in NNTP Julien ÉLIE
- Re: [TLS] Compression along with TLS in NNTP Jeffrey Walton
- Re: [TLS] [Uta] Compression along with TLS in NNTP Julien ÉLIE
- Re: [TLS] [Uta] Compression along with TLS in NNTP Ángel González
- Re: [TLS] [Uta] Compression along with TLS in NNTP Ángel González