Hi all, On 22 September 2015 at 15:23, Blumenthal, Uri - 0553 - MITLL < u...@ll.mit.edu> wrote:
> Also, if compression is moved from TLS to upper layer(s) - how would it > mitigate compression-related attacks? Besides "now it's somebody else's > problem"? > It allows the authors of the layers above to cherry-pick which parts of the connection to compress, rather than potentially leaking sensitive information through a "blanket compression" on the entire datastream. For instance in the case of HTTP, using a Content-Transfer-Encoding leaks no information on the headers, as only the response body is compressed. Furthermore, one can choose to only apply compression to static resources such as CSS files. -Thijs
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls