Re: [TLS] TLS 1.3 - Support for compression to be removed

Jeffrey Walton <noloader@gmail.com> Sun, 04 October 2015 17:58 UTC

MIME-Version: 1.0
In-Reply-To: <CAHOTMVL+C4Q2=wAVMWmSbyzmmZb7o6pucN=bEKv70eq8wWLA_w@mail.gmail.com>
References: <79C632BCF9D17346A0D3285990FDB01AA3B9DAD8@HOBEX21.hob.de> <55FC5822.5070709@trigofacile.com> <77583acbe981488493fd4f0110365dae@ustx2ex-dag1mb1.msg.corp.akamai.com> <55FC7343.3090301@trigofacile.com> <6796F70E-44FD-4CD8-A691-6D0BFAE6EFDC@cs.meiji.ac.jp> <682cb934aeeb42fabdf1fecfccf4c5b5@ustx2ex-dag1mb3.msg.corp.akamai.com> <7E1B8B3D-DEF5-439A-8E56-0CB2DFC061A8@cs.meiji.ac.jp> <ED4C2E8B-3327-451E-8E59-D87705B935C8@gmail.com> <CAHOTMVL+C4Q2=wAVMWmSbyzmmZb7o6pucN=bEKv70eq8wWLA_w@mail.gmail.com>
Date: Sun, 04 Oct 2015 13:58:09 -0400
Message-ID: <CAH8yC8nRoAk1KxQRKp3Yr8y8Yut3hc5pOgJ-hqShO3qb6cg2wQ@mail.gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
To: Tony Arcieri <bascule@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/X-CXGJo1i0yaXzQTalQ7xjpgeSw>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 - Support for compression to be removed
Precedence: list
Reply-To: noloader@gmail.com

>> An even more executive-level lesson might be that security layers should
>> not provide non-security services, but that is not really convincing because
>> if there was a separate compression layer that you could compose with the
>> security layer in TLS, CRIME would still be possible. To compress HTTP
>> without the danger of CRIME you need to either not compress header fields
>> with sensitive information, not compress header fields that might be
>> controlled by an attacker, or at least delegate those to a separate
>> compression state.
>
>
> The attack you're describing (or one fairly close to it) already happened,
> and it's called BREACH. It impacts HTTP compression, and allows attackers to
> recover things like CSRF tokens in page bodies.
>
> The takeaway for me is you can't mix compression, any fixed value an
> attacker wishes to learn, and attacker-controlled data, or there will be a
> compression side-channel.

Is that necessarily true?

Deflate violates semantic security by allowing the attacker to gain
information across messages (even though any single message is
secure). So perhaps its the mode of compression ot the way compression
was implemented, and not compression itself.

Jeff

[TLS] TLS 1.3 - Support for compression to be rem… Alewa, Christos
Re: [TLS] TLS 1.3 - Support for compression to be… Julien ÉLIE
Re: [TLS] TLS 1.3 - Support for compression to be… Salz, Rich
Re: [TLS] TLS 1.3 - Support for compression to be… Julien ÉLIE
Re: [TLS] TLS 1.3 - Support for compression to be… Kurt Roeckx
Re: [TLS] TLS 1.3 - Support for compression to be… Loganaden Velvindron
Re: [TLS] TLS 1.3 - Support for compression to be… Julien ÉLIE
Re: [TLS] TLS 1.3 - Support for compression to be… Geoffrey Keating
Re: [TLS] TLS 1.3 - Support for compression to be… Salz, Rich
Re: [TLS] TLS 1.3 - Support for compression to be… Dave Garrett
Re: [TLS] TLS 1.3 - Support for compression to be… Julien ÉLIE
Re: [TLS] TLS 1.3 - Support for compression to be… Watson Ladd
Re: [TLS] TLS 1.3 - Support for compression to be… Julien ÉLIE
Re: [TLS] TLS 1.3 - Support for compression to be… Karthikeyan Bhargavan
Re: [TLS] TLS 1.3 - Support for compression to be… Salz, Rich
Re: [TLS] TLS 1.3 - Support for compression to be… Julien ÉLIE
Re: [TLS] TLS 1.3 - Support for compression to be… Viktor Dukhovni
Re: [TLS] TLS 1.3 - Support for compression to be… Julien ÉLIE
Re: [TLS] TLS 1.3 - Support for compression to be… Daniel Kahn Gillmor
Re: [TLS] TLS 1.3 - Support for compression to be… Tony Arcieri
Re: [TLS] TLS 1.3 - Support for compression to be… Thijs van Dijk
Re: [TLS] TLS 1.3 - Support for compression to be… Simon Josefsson
Re: [TLS] TLS 1.3 - Support for compression to be… Blumenthal, Uri - 0553 - MITLL
Re: [TLS] TLS 1.3 - Support for compression to be… Watson Ladd
Re: [TLS] TLS 1.3 - Support for compression to be… Tony Arcieri
Re: [TLS] TLS 1.3 - Support for compression to be… Stephen Farrell
Re: [TLS] TLS 1.3 - Support for compression to be… Joseph Lorenzo Hall
Re: [TLS] TLS 1.3 - Support for compression to be… Julien ÉLIE
Re: [TLS] TLS 1.3 - Support for compression to be… Tony Arcieri
Re: [TLS] TLS 1.3 - Support for compression to be… Dave Garrett
Re: [TLS] TLS 1.3 - Support for compression to be… Yoav Nir
Re: [TLS] TLS 1.3 - Support for compression to be… Julien ÉLIE
Re: [TLS] TLS 1.3 - Support for compression to be… Salz, Rich
Re: [TLS] TLS 1.3 - Support for compression to be… Julien ÉLIE
Re: [TLS] TLS 1.3 - Support for compression to be… Jeffrey Walton
Re: [TLS] TLS 1.3 - Support for compression to be… Dave Garrett
Re: [TLS] TLS 1.3 - Support for compression to be… Watson Ladd
Re: [TLS] TLS 1.3 - Support for compression to be… Stephen Farrell
Re: [TLS] TLS 1.3 - Support for compression to be… Yoav Nir
Re: [TLS] TLS 1.3 - Support for compression to be… Dave Garrett
Re: [TLS] TLS 1.3 - Support for compression to be… Benjamin Kaduk
Re: [TLS] TLS 1.3 - Support for compression to be… Kurt Roeckx
Re: [TLS] TLS 1.3 - Support for compression to be… Peter Gutmann
Re: [TLS] TLS 1.3 - Support for compression to be… Colm MacCárthaigh
Re: [TLS] TLS 1.3 - Support for compression to be… Tony Arcieri
Re: [TLS] TLS 1.3 - Support for compression to be… Colm MacCárthaigh
Re: [TLS] TLS 1.3 - Support for compression to be… Bill Frantz
Re: [TLS] TLS 1.3 - Support for compression to be… Jeffrey Walton
Re: [TLS] TLS 1.3 - Support for compression to be… Björn Tackmann
Re: [TLS] TLS 1.3 - Support for compression to be… Bill Frantz
Re: [TLS] TLS 1.3 - Support for compression to be… Jeffrey Walton
Re: [TLS] TLS 1.3 - Support for compression to be… Yoav Nir
Re: [TLS] TLS 1.3 - Support for compression to be… Nikos Mavrogiannopoulos
Re: [TLS] TLS 1.3 - Support for compression to be… Julien ÉLIE
Re: [TLS] TLS 1.3 - Support for compression to be… Julien ÉLIE
Re: [TLS] TLS 1.3 - Support for compression to be… Jeremy Harris
Re: [TLS] TLS 1.3 - Support for compression to be… Dave Garrett
Re: [TLS] TLS 1.3 - Support for compression to be… Viktor Dukhovni
Re: [TLS] TLS 1.3 - Support for compression to be… Yuhong Bao
Re: [TLS] TLS 1.3 - Support for compression to be… Salz, Rich
Re: [TLS] TLS 1.3 - Support for compression to be… Viktor Dukhovni
Re: [TLS] TLS 1.3 - Support for compression to be… takamichi saito
Re: [TLS] TLS 1.3 - Support for compression to be… Roland Zink
Re: [TLS] TLS 1.3 - Support for compression to be… Salz, Rich
Re: [TLS] TLS 1.3 - Support for compression to be… Eric Rescorla
Re: [TLS] TLS 1.3 - Support for compression to be… Daniel Kahn Gillmor
Re: [TLS] TLS 1.3 - Support for compression to be… Salz, Rich
Re: [TLS] TLS 1.3 - Support for compression to be… Martin Rex
Re: [TLS] TLS 1.3 - Support for compression to be… Yoav Nir
Re: [TLS] TLS 1.3 - Support for compression to be… Daniel Kahn Gillmor
Re: [TLS] TLS 1.3 - Support for compression to be… Ilari Liusvaara
Re: [TLS] TLS 1.3 - Support for compression to be… takamichi saito
Re: [TLS] TLS 1.3 - Support for compression to be… takamichi saito
Re: [TLS] TLS 1.3 - Support for compression to be… Eric Rescorla
Re: [TLS] TLS 1.3 - Support for compression to be… Yoav Nir
Re: [TLS] TLS 1.3 - Support for compression to be… Tony Arcieri
Re: [TLS] TLS 1.3 - Support for compression to be… Jeffrey Walton
Re: [TLS] TLS 1.3 - Support for compression to be… Tony Arcieri
Re: [TLS] TLS 1.3 - Support for compression to be… Dave Garrett
Re: [TLS] TLS 1.3 - Support for compression to be… Jeffrey Walton
Re: [TLS] TLS 1.3 - Support for compression to be… Dave Garrett
Re: [TLS] TLS 1.3 - Support for compression to be… Dave Garrett
Re: [TLS] TLS 1.3 - Support for compression to be… Tony Arcieri
Re: [TLS] TLS 1.3 - Support for compression to be… Dave Garrett
Re: [TLS] TLS 1.3 - Support for compression to be… Jeffrey Walton
Re: [TLS] TLS 1.3 - Support for compression to be… Watson Ladd
Re: [TLS] TLS 1.3 - Support for compression to be… Tony Arcieri
Re: [TLS] TLS 1.3 - Support for compression to be… Eric Rescorla
Re: [TLS] TLS 1.3 - Support for compression to be… Salz, Rich
Re: [TLS] TLS 1.3 - Support for compression to be… Jeffrey Walton
Re: [TLS] TLS 1.3 - Support for compression to be… Eric Rescorla
Re: [TLS] TLS 1.3 - Support for compression to be… Martin Thomson
Re: [TLS] TLS 1.3 - Support for compression to be… Eric Rescorla
Re: [TLS] TLS 1.3 - Support for compression to be… Martin Thomson
Re: [TLS] TLS 1.3 - Support for compression to be… Douglas Stebila
Re: [TLS] TLS 1.3 - Support for compression to be… Martin Rex
Re: [TLS] TLS 1.3 - Support for compression to be… Dave Garrett
Re: [TLS] TLS 1.3 - Support for compression to be… Eric Rescorla
Re: [TLS] TLS 1.3 - Support for compression to be… Martin Rex
Re: [TLS] TLS 1.3 - Support for compression to be… Eric Rescorla
Re: [TLS] TLS 1.3 - Support for compression to be… Short, Todd
Re: [TLS] TLS 1.3 - Support for compression to be… Geoffrey Keating
Re: [TLS] TLS 1.3 - Support for compression to be… Eric Rescorla
Re: [TLS] TLS 1.3 - Support for compression to be… Tony Arcieri
Re: [TLS] TLS 1.3 - Support for compression to be… Bill Frantz
Re: [TLS] TLS 1.3 - Support for compression to be… Martin Rex
Re: [TLS] TLS 1.3 - Support for compression to be… Jeffrey Walton
Re: [TLS] TLS 1.3 - Support for compression to be… Watson Ladd
Re: [TLS] TLS 1.3 - Support for compression to be… Jeffrey Walton
Re: [TLS] TLS 1.3 - Support for compression to be… Tony Arcieri
Re: [TLS] TLS 1.3 - Support for compression to be… Short, Todd
Re: [TLS] TLS 1.3 - Support for compression to be… Eric Rescorla
Re: [TLS] TLS 1.3 - Support for compression to be… Joseph Salowey
Re: [TLS] TLS 1.3 - Support for compression to be… Martin Rex
Re: [TLS] TLS 1.3 - Support for compression to be… Watson Ladd
Re: [TLS] TLS 1.3 - Support for compression to be… Martin Rex
Re: [TLS] TLS 1.3 - Support for compression to be… Dave Garrett
Re: [TLS] TLS 1.3 - Support for compression to be… takamichi saito
Re: [TLS] TLS 1.3 - Support for compression to be… takamichi saito
Re: [TLS] TLS 1.3 - Support for compression to be… Julien ÉLIE