Re: [TLS] Confirmation of Consensus on Removing Compression from TLS 1.3
Alyssa Rowan <akr@akr.io> Thu, 27 March 2014 12:37 UTC
Return-Path: <akr@akr.io>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F37B1A068D for <tls@ietfa.amsl.com>; Thu, 27 Mar 2014 05:37:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e9Ub-JYBqM2h for <tls@ietfa.amsl.com>; Thu, 27 Mar 2014 05:37:36 -0700 (PDT)
Received: from entima.net (entima.net [78.129.143.175]) by ietfa.amsl.com (Postfix) with ESMTP id 630631A0691 for <tls@ietf.org>; Thu, 27 Mar 2014 05:37:36 -0700 (PDT)
Received: from [10.103.236.114] (94.197.120.139.threembb.co.uk [94.197.120.139]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by entima.net (Postfix) with ESMTPSA id 10414600FE for <tls@ietf.org>; Thu, 27 Mar 2014 12:37:33 +0000 (GMT)
User-Agent: K-9 Mail for Android
In-Reply-To: <DA7A3139-EE44-4FE2-B674-4ECAE4D51079@cisco.com>
References: <DA7A3139-EE44-4FE2-B674-4ECAE4D51079@cisco.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"
From: Alyssa Rowan <akr@akr.io>
Date: Thu, 27 Mar 2014 12:37:29 +0000
To: "<tls@ietf.org>" <tls@ietf.org>
Message-ID: <f15dd559-d532-471b-a7a1-8fe17851d46e@email.android.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/nCBBOWJX0J_p47Wdr4qGxw10920
Subject: Re: [TLS] Confirmation of Consensus on Removing Compression from TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Mar 2014 12:37:38 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 26 March 2014 18:42:51 GMT+00:00, "Joseph Salowey (jsalowey)" <jsalowey@cisco.com> wrote: >The consensus in the room at IETF-89 was to remove compression from TLS 1.3 >to remove this attack vector. +1 Remove compression. Compression is usually best performed as "high" as possible; transport layer is blind to what's being compressed, which is (as we now know) was definitely too low and was in retrospect a mistake. Any application layer protocol needs to know - if compression is supported - to separate compression contexts for attacker-chosen plaintext and attacker-sought unknown secrets. (As others have stated, HTTPbis covers this.) Any encrypted (or unencrypted) protocol could potentially have a size oracle where compression dictionaries were mixed in that case. That's an issue for the security of the underlying protocol, although I think we should draw strong attention to it and remind implementers that we cannot protect from that (and make no attempt to protect from size oracles in TLS in general). - -- /akr -----BEGIN PGP SIGNATURE----- Version: APG v1.1.1 iQI3BAEBCgAhBQJTNBuJGhxBbHlzc2EgUm93YW4gPGFrckBha3IuaW8+AAoJEOyE jtkWi2t66sQP/05Ap4HkgyvUlxuiMWWs2D5MOJT5sXZnd4WYRDML/JpPzKG8GSeQ NIga9dxXa3mpdaW++9xM/KZs+4SH0XvwURsTMapbCPeFCwdSknHvVVD2bC1thKY+ quzeiuNj3I3DGZ6vccgspgzTEePylxDtAU+YP+2+fvYy/Vlsb15OsOw4oIFG9et5 kwY6kJpFGsZpURElJE/zAEOKB8GwXAGJ/4r+gnPmXpP7e9jJxqC0fsLjhwnlx4o4 IR6+gjZ1LYPGswCjfj8kLxNByTE0fCzlg9yGzPkOLUscSQFytGE0TVbivvAKWv6y SPVdlxlKb9NEZPbL6bCBXrj328YbncwJ3sxcMfxxx/mS50ZUSP/USFX7ss1L3wW5 Yr90LjG/O9opAz/xqnX/qTnOBpTENNUu0ZR7Hd0Ha3Nw2BWIqy8jhN6bvK8CWAiN jS2LZSgy8MDfkfjUAAAFX0MDrVTLlt4GKUEj07TtNVOnV2YtdBZy0u76sQ2hes8c V1SNNchJQTldkMjii8IWTo6L4JTGM9zQfaThXIMkUJrNWyvxN9CCJ7WCYA/wHICb Q6oo+j6hMrV653B7NfsD5JaD9mHovkzU2iOVwDZXI6iMvjHsXTWOCB2f10TTKXSk SXzpROPLvM7ZemVKdbmptFJecUNuFqLD4/BY6vBLLM+ZYBSMOAx3AOjY =l/mz -----END PGP SIGNATURE-----
- [TLS] Confirmation of Consensus on Removing Compr… Joseph Salowey (jsalowey)
- Re: [TLS] Confirmation of Consensus on Removing C… Yaron Sheffer
- Re: [TLS] Confirmation of Consensus on Removing C… Martin Thomson
- Re: [TLS] Confirmation of Consensus on Removing C… Martin Rex
- Re: [TLS] Confirmation of Consensus on Removing C… Eric Rescorla
- Re: [TLS] Confirmation of Consensus on Removing C… Paterson, Kenny
- Re: [TLS] Confirmation of Consensus on Removing C… Martin Rex
- Re: [TLS] Confirmation of Consensus on Removing C… Eric Rescorla
- Re: [TLS] Confirmation of Consensus on Removing C… Watson Ladd
- Re: [TLS] Confirmation of Consensus on Removing C… Martin Rex
- Re: [TLS] Confirmation of Consensus on Removing C… Joachim Strömbergson
- Re: [TLS] Confirmation of Consensus on Removing C… Alyssa Rowan
- Re: [TLS] Confirmation of Consensus on Removing C… Richard Hartmann
- Re: [TLS] Confirmation of Consensus on Removing C… Peter Gutmann
- Re: [TLS] Confirmation of Consensus on Removing C… Karthikeyan Bhargavan
- Re: [TLS] Confirmation of Consensus on Removing C… Bill Frantz
- Re: [TLS] Confirmation of Consensus on Removing C… Joseph Salowey (jsalowey)
- Re: [TLS] Confirmation of Consensus on Removing C… Eric Rescorla
- Re: [TLS] Confirmation of Consensus on Removing C… Eric Rescorla