Re: [TLS] TLS 1.3 - Support for compression to be removed

Jeffrey Walton <> Sun, 04 October 2015 18:54 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 737D91B3496 for <>; Sun, 4 Oct 2015 11:54:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1xdTsUuGFLeD for <>; Sun, 4 Oct 2015 11:54:00 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C659C1B2D8D for <>; Sun, 4 Oct 2015 11:48:19 -0700 (PDT)
Received: by igcrk20 with SMTP id rk20so47564622igc.1 for <>; Sun, 04 Oct 2015 11:48:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:content-transfer-encoding; bh=hu3X+zcIt/pnobfTiUKDaqSHWOCqiQrg+/RmcBZ4HHw=; b=0Dgyb671y4H1kqIgaBqPIiBZfy3QebecMrqWaGHFJlgKv8sUYLDGFwFL+uA7PeL6Ke ZVC7wfY8QLIXBls/7Agr6AXX1eX/BxIpI2xfaSPRKa6va/Tg1BTVSNauFHUSnwrhjqqw QLw2fEHSK9y516hvT0A3JEBtcJXgzgMExcKBTo5HM0hKlKQaiNPwZ7EXHYZ5QA22/v1G ZbZlx7/ynwLodFvdifDuK2ROQKlGllJWWVJep/zrUTH5SnGi8zHwJRrOM3ctWTfKaoPh WyE0EL/lYphP3Vo5HYWjgORiw+KgLvzD6P9e+UXFDtnQtGL3YUn3ShY62s7zTVBtMDNT nVwg==
MIME-Version: 1.0
X-Received: by with SMTP id f9mr5897781igt.22.1443984499308; Sun, 04 Oct 2015 11:48:19 -0700 (PDT)
Received: by with HTTP; Sun, 4 Oct 2015 11:48:19 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <>
Date: Sun, 04 Oct 2015 14:48:19 -0400
Message-ID: <>
From: Jeffrey Walton <>
To: Dave Garrett <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] TLS 1.3 - Support for compression to be removed
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 04 Oct 2015 18:54:01 -0000

On Sun, Oct 4, 2015 at 2:32 PM, Dave Garrett <> wrote:
> On Sunday, October 04, 2015 01:58:09 pm Jeffrey Walton wrote:
>> Is that necessarily true?
> It should be apparent by now that the dominant opinion is that compression in TLS is not worth the risk and not worth the time to attempt to deal with here. Whether or not a generic compression algorithm could theoretically be made safe is irrelevant at this point. It's a known-dangerous attack surface that we don't want the risk of.

If I am reading things correctly: the group has effectively
encountered a security problem, deemed it to be too hard for them, and
then pushed it into another layer where folks are even less equipped
to deal with it. Is that correct?

I might be missing something, but I don't believe the "problems
created by compression" have gone away. Rather, they have been moved
around so the risk remains. The underlying problem still exists
because the group responsible for providing those security services
have not addressed them.