On 07/04/2015 14:52, Salz, Rich wrote: > Jakob, > > Thanks very much for the detailed response! I'm still not convinced that tls-layer compression is a good thing. You seem to be saying it could possibly be made to work, but ... do I have that view right? I was merely trying to explain Thomas Tanner's suggestion for how to protect TLS compression against the (mostly HTTPS specific) attacks. However, as has been hinted at by others, TLS layer compression appears to be both useful and harmless for protocols that do not have the higher level properties that allow the CRIME/BREACH attacks. Specifically a small secret near a slightly longer chosen plaintext, surrounded by a lot of known plaintext, plus the ability to provoke a medium number of sessions each varying almost exclusively in the chosen plaintext. It also appears the HTTP/2.0 draft aka SPDY requires compressionto be enabled, though I don't know if that is at the TLS or HTTP level. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150407/497ab6a3/attachment.html>
