Re: [TLS] TLS 1.3 - Support for compression to be removed

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 20 September 2015 21:02 UTC

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: "Salz, Rich" <rsalz@akamai.com>, Julien ÉLIE <julien@trigofacile.com>, "tls@ietf.org" <tls@ietf.org>
In-Reply-To: <77583acbe981488493fd4f0110365dae@ustx2ex-dag1mb1.msg.corp.akamai.com>
References: <79C632BCF9D17346A0D3285990FDB01AA3B9DAD8@HOBEX21.hob.de> <55FC5822.5070709@trigofacile.com> <77583acbe981488493fd4f0110365dae@ustx2ex-dag1mb1.msg.corp.akamai.com>
User-Agent: Notmuch/0.20.2 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu)
Date: Sat, 19 Sep 2015 15:04:05 -0400
Message-ID: <87h9mqgriy.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/vKCbRGY-AODTAn0ZAOJm6PzyZnw>
Subject: Re: [TLS] TLS 1.3 - Support for compression to be removed
Precedence: list

On Fri 2015-09-18 15:47:27 -0400, "Salz, Rich" <rsalz@akamai.com> wrote:
> Can NNTP and HOB/VPN stay on TLS 1.2 which does have the compression
> feature you need?  What TLS 1.3 feature is compelling here?

I think this line of argument is worrisome -- we should try to avoid
leaving behind protocols that need TLS, if we ever want to be able to
deprecate TLS 1.2 the way we've (finally) deprecated SSLv3.

That said, i think there are multiple approaches for NNTP and HOB/VPN
that don't involve using compression at the TLS layer.

For instance, with NNTP, if they're certain that CRIME isn't a risk for
their use case, they could introduce a STARTCOMPRESSION verb by analogy
to STARTTLS.  If the only reason they're using TLS in the first place is
for compression, this would be a simpler and less-risky approach in
terms of software dependencies as well.  I don't know enough about HOB's
use of TLS to know whether they could shim their own compression layer
in between the VPN traffic or not.

The TLS WG knows that compression represents a serious risk to encrypted
traffic, especially in situations like browsers where an adversary can
direct a peer to initiate protocol action.  Compression itself also
represents added complexity for protocol analysis.

I think we should remove compression and we should also explicitly warn
users of the protocol about the risks of combining compression with TLS.

      --dkg

[TLS] TLS 1.3 - Support for compression to be rem… Alewa, Christos
Re: [TLS] TLS 1.3 - Support for compression to be… Julien ÉLIE
Re: [TLS] TLS 1.3 - Support for compression to be… Salz, Rich
Re: [TLS] TLS 1.3 - Support for compression to be… Julien ÉLIE
Re: [TLS] TLS 1.3 - Support for compression to be… Kurt Roeckx
Re: [TLS] TLS 1.3 - Support for compression to be… Loganaden Velvindron
Re: [TLS] TLS 1.3 - Support for compression to be… Julien ÉLIE
Re: [TLS] TLS 1.3 - Support for compression to be… Geoffrey Keating
Re: [TLS] TLS 1.3 - Support for compression to be… Salz, Rich
Re: [TLS] TLS 1.3 - Support for compression to be… Dave Garrett
Re: [TLS] TLS 1.3 - Support for compression to be… Julien ÉLIE
Re: [TLS] TLS 1.3 - Support for compression to be… Watson Ladd
Re: [TLS] TLS 1.3 - Support for compression to be… Julien ÉLIE
Re: [TLS] TLS 1.3 - Support for compression to be… Karthikeyan Bhargavan
Re: [TLS] TLS 1.3 - Support for compression to be… Salz, Rich
Re: [TLS] TLS 1.3 - Support for compression to be… Julien ÉLIE
Re: [TLS] TLS 1.3 - Support for compression to be… Viktor Dukhovni
Re: [TLS] TLS 1.3 - Support for compression to be… Julien ÉLIE
Re: [TLS] TLS 1.3 - Support for compression to be… Daniel Kahn Gillmor
Re: [TLS] TLS 1.3 - Support for compression to be… Tony Arcieri
Re: [TLS] TLS 1.3 - Support for compression to be… Thijs van Dijk
Re: [TLS] TLS 1.3 - Support for compression to be… Simon Josefsson
Re: [TLS] TLS 1.3 - Support for compression to be… Blumenthal, Uri - 0553 - MITLL
Re: [TLS] TLS 1.3 - Support for compression to be… Watson Ladd
Re: [TLS] TLS 1.3 - Support for compression to be… Tony Arcieri
Re: [TLS] TLS 1.3 - Support for compression to be… Stephen Farrell
Re: [TLS] TLS 1.3 - Support for compression to be… Joseph Lorenzo Hall
Re: [TLS] TLS 1.3 - Support for compression to be… Julien ÉLIE
Re: [TLS] TLS 1.3 - Support for compression to be… Tony Arcieri
Re: [TLS] TLS 1.3 - Support for compression to be… Dave Garrett
Re: [TLS] TLS 1.3 - Support for compression to be… Yoav Nir
Re: [TLS] TLS 1.3 - Support for compression to be… Julien ÉLIE
Re: [TLS] TLS 1.3 - Support for compression to be… Salz, Rich
Re: [TLS] TLS 1.3 - Support for compression to be… Julien ÉLIE
Re: [TLS] TLS 1.3 - Support for compression to be… Jeffrey Walton
Re: [TLS] TLS 1.3 - Support for compression to be… Dave Garrett
Re: [TLS] TLS 1.3 - Support for compression to be… Watson Ladd
Re: [TLS] TLS 1.3 - Support for compression to be… Stephen Farrell
Re: [TLS] TLS 1.3 - Support for compression to be… Yoav Nir
Re: [TLS] TLS 1.3 - Support for compression to be… Dave Garrett
Re: [TLS] TLS 1.3 - Support for compression to be… Benjamin Kaduk
Re: [TLS] TLS 1.3 - Support for compression to be… Kurt Roeckx
Re: [TLS] TLS 1.3 - Support for compression to be… Peter Gutmann
Re: [TLS] TLS 1.3 - Support for compression to be… Colm MacCárthaigh
Re: [TLS] TLS 1.3 - Support for compression to be… Tony Arcieri
Re: [TLS] TLS 1.3 - Support for compression to be… Colm MacCárthaigh
Re: [TLS] TLS 1.3 - Support for compression to be… Bill Frantz
Re: [TLS] TLS 1.3 - Support for compression to be… Jeffrey Walton
Re: [TLS] TLS 1.3 - Support for compression to be… Björn Tackmann
Re: [TLS] TLS 1.3 - Support for compression to be… Bill Frantz
Re: [TLS] TLS 1.3 - Support for compression to be… Jeffrey Walton
Re: [TLS] TLS 1.3 - Support for compression to be… Yoav Nir
Re: [TLS] TLS 1.3 - Support for compression to be… Nikos Mavrogiannopoulos
Re: [TLS] TLS 1.3 - Support for compression to be… Julien ÉLIE
Re: [TLS] TLS 1.3 - Support for compression to be… Julien ÉLIE
Re: [TLS] TLS 1.3 - Support for compression to be… Jeremy Harris
Re: [TLS] TLS 1.3 - Support for compression to be… Dave Garrett
Re: [TLS] TLS 1.3 - Support for compression to be… Viktor Dukhovni
Re: [TLS] TLS 1.3 - Support for compression to be… Yuhong Bao
Re: [TLS] TLS 1.3 - Support for compression to be… Salz, Rich
Re: [TLS] TLS 1.3 - Support for compression to be… Viktor Dukhovni
Re: [TLS] TLS 1.3 - Support for compression to be… takamichi saito
Re: [TLS] TLS 1.3 - Support for compression to be… Roland Zink
Re: [TLS] TLS 1.3 - Support for compression to be… Salz, Rich
Re: [TLS] TLS 1.3 - Support for compression to be… Eric Rescorla
Re: [TLS] TLS 1.3 - Support for compression to be… Daniel Kahn Gillmor
Re: [TLS] TLS 1.3 - Support for compression to be… Salz, Rich
Re: [TLS] TLS 1.3 - Support for compression to be… Martin Rex
Re: [TLS] TLS 1.3 - Support for compression to be… Yoav Nir
Re: [TLS] TLS 1.3 - Support for compression to be… Daniel Kahn Gillmor
Re: [TLS] TLS 1.3 - Support for compression to be… Ilari Liusvaara
Re: [TLS] TLS 1.3 - Support for compression to be… takamichi saito
Re: [TLS] TLS 1.3 - Support for compression to be… takamichi saito
Re: [TLS] TLS 1.3 - Support for compression to be… Eric Rescorla
Re: [TLS] TLS 1.3 - Support for compression to be… Yoav Nir
Re: [TLS] TLS 1.3 - Support for compression to be… Tony Arcieri
Re: [TLS] TLS 1.3 - Support for compression to be… Jeffrey Walton
Re: [TLS] TLS 1.3 - Support for compression to be… Tony Arcieri
Re: [TLS] TLS 1.3 - Support for compression to be… Dave Garrett
Re: [TLS] TLS 1.3 - Support for compression to be… Jeffrey Walton
Re: [TLS] TLS 1.3 - Support for compression to be… Dave Garrett
Re: [TLS] TLS 1.3 - Support for compression to be… Dave Garrett
Re: [TLS] TLS 1.3 - Support for compression to be… Tony Arcieri
Re: [TLS] TLS 1.3 - Support for compression to be… Dave Garrett
Re: [TLS] TLS 1.3 - Support for compression to be… Jeffrey Walton
Re: [TLS] TLS 1.3 - Support for compression to be… Watson Ladd
Re: [TLS] TLS 1.3 - Support for compression to be… Tony Arcieri
Re: [TLS] TLS 1.3 - Support for compression to be… Eric Rescorla
Re: [TLS] TLS 1.3 - Support for compression to be… Salz, Rich
Re: [TLS] TLS 1.3 - Support for compression to be… Jeffrey Walton
Re: [TLS] TLS 1.3 - Support for compression to be… Eric Rescorla
Re: [TLS] TLS 1.3 - Support for compression to be… Martin Thomson
Re: [TLS] TLS 1.3 - Support for compression to be… Eric Rescorla
Re: [TLS] TLS 1.3 - Support for compression to be… Martin Thomson
Re: [TLS] TLS 1.3 - Support for compression to be… Douglas Stebila
Re: [TLS] TLS 1.3 - Support for compression to be… Martin Rex
Re: [TLS] TLS 1.3 - Support for compression to be… Dave Garrett
Re: [TLS] TLS 1.3 - Support for compression to be… Eric Rescorla
Re: [TLS] TLS 1.3 - Support for compression to be… Martin Rex
Re: [TLS] TLS 1.3 - Support for compression to be… Eric Rescorla
Re: [TLS] TLS 1.3 - Support for compression to be… Short, Todd
Re: [TLS] TLS 1.3 - Support for compression to be… Geoffrey Keating
Re: [TLS] TLS 1.3 - Support for compression to be… Eric Rescorla
Re: [TLS] TLS 1.3 - Support for compression to be… Tony Arcieri
Re: [TLS] TLS 1.3 - Support for compression to be… Bill Frantz
Re: [TLS] TLS 1.3 - Support for compression to be… Martin Rex
Re: [TLS] TLS 1.3 - Support for compression to be… Jeffrey Walton
Re: [TLS] TLS 1.3 - Support for compression to be… Watson Ladd
Re: [TLS] TLS 1.3 - Support for compression to be… Jeffrey Walton
Re: [TLS] TLS 1.3 - Support for compression to be… Tony Arcieri
Re: [TLS] TLS 1.3 - Support for compression to be… Short, Todd
Re: [TLS] TLS 1.3 - Support for compression to be… Eric Rescorla
Re: [TLS] TLS 1.3 - Support for compression to be… Joseph Salowey
Re: [TLS] TLS 1.3 - Support for compression to be… Martin Rex
Re: [TLS] TLS 1.3 - Support for compression to be… Watson Ladd
Re: [TLS] TLS 1.3 - Support for compression to be… Martin Rex
Re: [TLS] TLS 1.3 - Support for compression to be… Dave Garrett
Re: [TLS] TLS 1.3 - Support for compression to be… takamichi saito
Re: [TLS] TLS 1.3 - Support for compression to be… takamichi saito
Re: [TLS] TLS 1.3 - Support for compression to be… Julien ÉLIE