Re: [TLS] TLS 1.3 - Support for compression to be removed

Eric Rescorla <ekr@rtfm.com> Mon, 05 October 2015 04:06 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 371F11B2F21 for <tls@ietfa.amsl.com>; Sun, 4 Oct 2015 21:06:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iczH91LfmD5r for <tls@ietfa.amsl.com>; Sun, 4 Oct 2015 21:06:55 -0700 (PDT)
Received: from mail-wi0-f173.google.com (mail-wi0-f173.google.com [209.85.212.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 464AF1B2F28 for <tls@ietf.org>; Sun, 4 Oct 2015 21:06:53 -0700 (PDT)
Received: by wicfx3 with SMTP id fx3so96209265wic.0 for <tls@ietf.org>; Sun, 04 Oct 2015 21:06:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=rRmr7Tw/9vgEOGIClCMNHZDOjlbSciTIRk9WL9Z4Snw=; b=eGBizPoR+zGLD0dn5QoyIUtnB+EDhcmt+ZWzb4oVxvkYsZ+0/Pcx6ktd2WEZpj09vk lVKFEuTeAxgyeD1Lnp/ie1OSlS/Aqd6jW1z1LbWddAgDy185JddfbAC0VlIHBuD3QRgC tabIsmXdjP2O8p/TCbfGkbolCJs3fxMyAiwcmbyFlavnsHvfP+Jm8QZ/iixE0x9GbDMx dDHZLDXfdwn4YLPiCZmIdlakbHvbTM59ZJHQrkfQ/Aizw2IXmTZqx2LuX5xFzX72cqil fFPk0/jbGlytx/TSjpweQa1FGjGJKzahVQhz1tTDlZtsZQK3pCOS4DRsbugpBfVWCj7+ LxvQ==
X-Gm-Message-State: ALoCoQmqnkR3XXwyzzyBhBb+L2VonmYoFhOx8qvBTHKPNg0coGiVzjSWiP5Usn7uZBz2tMtuFKiR
X-Received: by 10.180.184.201 with SMTP id ew9mr9810707wic.53.1444018011829; Sun, 04 Oct 2015 21:06:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.79.200 with HTTP; Sun, 4 Oct 2015 21:06:11 -0700 (PDT)
In-Reply-To: <CABkgnnX_3VZZLb8HdM=zqLp70dsURM1gPiSZdE9nzDByaMkBzw@mail.gmail.com>
References: <79C632BCF9D17346A0D3285990FDB01AA3B9DAD8@HOBEX21.hob.de> <55FC5822.5070709@trigofacile.com> <77583acbe981488493fd4f0110365dae@ustx2ex-dag1mb1.msg.corp.akamai.com> <55FC7343.3090301@trigofacile.com> <6796F70E-44FD-4CD8-A691-6D0BFAE6EFDC@cs.meiji.ac.jp> <682cb934aeeb42fabdf1fecfccf4c5b5@ustx2ex-dag1mb3.msg.corp.akamai.com> <7E1B8B3D-DEF5-439A-8E56-0CB2DFC061A8@cs.meiji.ac.jp> <ED4C2E8B-3327-451E-8E59-D87705B935C8@gmail.com> <84faf2113b9946f79763886867d65925@ustx2ex-dag1mb3.msg.corp.akamai.com> <CAH8yC8=JcWo+4rtymKLCfs3aKFQmCc+C4jD0eb74jbfMLJFAaw@mail.gmail.com> <CABcZeBOD+jwFDaed6sqfBGabR1kpRjnAvAb5Pm9jCk43=s4Fzg@mail.gmail.com> <CABkgnnX_3VZZLb8HdM=zqLp70dsURM1gPiSZdE9nzDByaMkBzw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 04 Oct 2015 21:06:11 -0700
Message-ID: <CABcZeBOPd55SFGD13-jUsqLGOMxhEYbcrYcxdOQC2D39cJESGQ@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="001a11c384c4a515b1052153a451"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/4KmCT1ikQx3JAqXsqxiWuSwv3ko>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 - Support for compression to be removed
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Oct 2015 04:06:57 -0000

On Sun, Oct 4, 2015 at 9:01 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 4 October 2015 at 19:26, Eric Rescorla <ekr@rtfm.com> wrote:
> > Consider the trivial case of ASCII text. Each character takes up the
> > same amount of room, but if you compress (as an intuition pump,
> > think of a simple Huffman code), then more common characters
> > take up less room than less common characters.
>
> This is right, but it's also not the case that revealing information
> like that is necessarily bad.


I didn't say it was. But it's also leaking information that the encryption
didn't, which is intended as a simple counterexample to Jeffrey's claim.


HPACK for instance compresses base64-encoded data unevenly.  But the
> study that was run in 2013 determined that it wasn't especially
> interesting. [32] shows ~2 bits regained from a 30 character word.  Of
> course, you should examine the conditions on that claim; such a result
> is not generally applicable.  Mixing attacker-controlled data with
> secrets has shown to make protecting those secrets extremely
> difficult.
>

Yes, if the attacker can provide their own data, it makes matters worse,
but as the reference I provided indicated, there are potential security
issues even if the attacker is not able to do so, provided that the data
is sufficiently redundant.

-Ekr