Based on CRIME and BREACH we know that this construction is not secure: C = encrypt(compress(A || B))
If you control B and A contains sensitive information, strlen(C) tells you information about A. Vice versa if you control A and B contains sensitive information. In the context of a web application, this can lead to the compromise the contents of HTTP-Only cookies. This is known to be safe: C = encrypt(A || B). (No compression.) This might be safe: C = encrypt(A || compress(B) ). If an application needs to compress data before encryption, it shouldn't be a Transport Layer protocol's job to do so. Compression has no place in Transport Layer Security. Please nix it until we can, in a provably secure manner, make C = encrypt(compress(A || B)) not leak information about A when an attacker controls B. I await your IACR papers that prove the contrary, or a swift and decisive vote to kill TLS encryption in 1.3. Further bikeshedding is just embarrassing. Just my $0.02. Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises <https://paragonie.com>
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
