Re: [TLS] TLS 1.3

On Sat, Oct 3, 2015 at 3:36 PM, takamichi saito <saito@cs.meiji.ac.jp>
wrote:

>
> On 2015/10/02, at 22:59, Roland Zink wrote:
>
> > Browsers are not a concern as they already have their own comp/decomp
> codes. HTTP/1 can compress content (Content-encoding and transfer-encoding)
> and HTTP2 has additional header compression.
> >
> > Regards,
> > Roland
> >
>
> I see,
> but contrary,
> tls is only for browser?
>
> And more,
> if you kick out comp/decomp from tls,
> can we be safer when we use tls?
> If you know the paper, please teach me.
>
> Or, rfc or good teacher should notify us,
> "When you use TLSv1.3, you never use compression, sorry!"
>

That is what the document says:
"Versions of TLS before 1.3 supported compression and the list of
compression methods was supplied in this field. For any TLS 1.3
ClientHello, this field MUST contain only the “null” compression method
with the code point of 0. If a TLS 1.3 ClientHello is received with any
other value in this field, the server MUST generate a fatal
“illegal_parameter” alert. Note that TLS 1.3 servers may receive TLS 1.2 or
prior ClientHellos which contain other compression methods and MUST follow
the procedures for the appropriate prior version of TLS."

-Ekr

> I know it may be out scope,
> but we have to estimate the risk.
>
> regards,
>
>
> >
> > Am 02.10.2015 um 15:08 schrieb takamichi saito:
> >>> Do we know how many protocols currently suffer from CRIME?
> >>>
> >>>
> >>> Maybe a best practice could be suggested by UTA for the implementation
> of TLS in software, to disable compression if vulnerable.  And for the
> others, to implement a way to enable/disable compression in case one day a
> vulnerability is found.
> >> I agree.
> >>
> >> Again,
> >>
> >> 1) We know CRIME threat, but it can not be risk for everyone.
> >> e.g., CVSS v2 Base Score: 2.6 (LOW)
> >>
> >> 2) If we need to have comp/decomp in an application layer,
> >>  clients such like browser need their own comp/decomp codes.
> >>
> >> 3) If there is no comp in tls1.3, some people may continue to use
> tls1.2.
> >> Which one is safer, "tls1.2" v.s. "tls1.3 with comp/decomp" ?
> >>
> >> That's why we explore the way to keep compression in TLSv1.3.
> >> How about making an option only in server-side?
> >> The spec has the compression but default is off, and also provides the
> suggestion.
> >>
> >>
> >>> --
> >>> Julien ÉLIE
> >>>
> >>> « La vraie valeur d'un homme se mesure lorsqu'il a tout perdu. »
> >>>
> >>> _______________________________________________
> >>> TLS mailing list
> >>> TLS@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/tls
> >>
> >> ;; takamixhi saito
> >> c2xhYWlidHNvcw
> >>
> >> _______________________________________________
> >> TLS mailing list
> >> TLS@ietf.org
> >> https://www.ietf.org/mailman/listinfo/tls
> >
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
>
>
> ;; takamixhi saito
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

Re: [TLS] TLS 1.3 - Support for compression to be removed