Hi Ángel,
The main problem is not as much that the contents are compressed or
not, but that known plain text and confidential data are compressed
together.
As such, I don't think it's usually necessary to disable it for
confidential articles/newsgroups.
First of all, thanks for your valuable comment. I will take it into
account in the wording of the draft.
Regarding your draft, I would
a) add a None algorithm
b) allow compress to be called inside a compress session, replacing the
previous one.
Thus, a client would be able to COMPRESS DEFLATE, <read public groups>,
COMPRESS NONE, <read secret article>, COMPRESS DEFLATE, <more public
activity>
Or even call COMPRESS DEFLATE, <read article A>, COMPRESS DEFLATE,
<read article B> to ensure their contents are not compressed together.
I understand the scenario.
It implies here that the client will have to know somehow what kinds of
newsgroups or articles need extra-security. The client will have to
send the right COMPRESS commands at the right time.
Wouldn't it be better that the server also knows somehow what kinds of
newsgroups or articles need extra-security, and clears the compression
dictionary even if not explicitly asked by the client?
We could otherwise have a situation where not all the clients accessing
secret articles are correctly configured. Therefore, one of the clients
may leak information. If both the client and the server ensure not to
compress public and confidential data together, it would be better,
wouldn't it?
Hmm, on second thoughts, this suggestion of a None algorithm and
allowing to switch to another algorithm at any time adds complexity that
could be avoided by another suggestion: if a client wants to access
both public groups and secret articles, why not open two separate NNTP
connections (either in parallel or one after the other)? These two
sessions can be compressed, and there will be no leakage.
So as to answer your proposal of ensuring that the contents of articles
are not compressed together, we could call "COMPRESS DEFLATE FLUSH" (or
another better optional argument) that asks the server to clear the
compression dictionary after every response.
--
Julien ÉLIE
« Ta remise sur pied lui a fait perdre la tête ! » (Astérix)
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
