Julien, It may well be true that some (typically unauthenticated) application protocols on top of TLS can survive TLS compression, but it is unlikely. You ask a pointed question about AUTHINFO, so just as a fun game, let’s analyze its security:
AUTHINFO USER test 381 Enter password AUTHINFO PASS test 281 Authentication succeeded From a formal security viewpoint, the logic behind disabling compression in this exchange is as follows. TLS does not hide the length of plaintext, so an 8-character password is distinguishable from a 4-character one. While this loss of confidentiality may arguably be expected and acceptable, compression makes it worse. Consider the two lines: AUTHINFO PASS AAAAAAAA AUTHINFO PASS 12345678 Both passwords have 8 characters, and so when no compression is used, a passive network adversary cannot distinguish between them. However, if they are compressed with gzip, the first results in 7 fewer bytes than the second. So compression of this line already yields 3 bits of the password to a passive adversary. No online attack needed so far. Suppose, the client also uses this password with a different command (e.g. XSECRET). XSECRET test AAAAAAAA XSECRET test 12345678 Now looking at the compressed lengths of this, the passive attacker can get another 3 bits. Considering that the average password entropy can be as low as 20 bits [1], the attacker now has a significant headstart on any other attack she may wish to pursue. HTTP is a particularly bad case because the attacker can potentially inject arbitrary data before (and after) the secret. With NNTP you may escape the worst of this adversary, but you probably won’t find any TLS expert willing to say that compressing the password is ok. Best, Karthik [1] http://www.jbonneau.com/doc/B12-IEEESP-analyzing_70M_anonymized_passwords.pdf > On 20 Sep 2015, at 14:09, Julien ÉLIE <jul...@trigofacile.com> wrote: > > Hi Watson, > >>> Though I've read a few pages explaining how CRIME and BEAST attacks work, I >>> still do not see well how TLS-level compression would make NNTP vulnerable. >>> Same thing for POP or IMAP I believe. >>> >>> The news server does not leak information. The responses are just OK or KO. >> >> This analysis would predict that HTTP isn't vulnerable. > > I don't understand that point for AUTHINFO. > NNTP only answers "281 Authentication succeeded" or "481 Authentication > failed" here, whereas HTTP response bodies are far more complex and part of > the request may be reflected in the response. > > -- > Julien ÉLIE > > « Etna : lave dévalante. » > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
