On 2016-06-10 at 22:43 +0200, Julien ÉLIE wrote: > NNTP commands other than AUTHINFO are not believed to divulgate > confidential information as far as public Netnews newsgroups and > articles are concerned. That is why this specification only adds a > restriction to the use of AUTHINFO when a compression layer > active. In case private and confidential newsgroups or articles are > accessed, a server SHOULD NOT allow compression, and a client SHOULD > NOT attempt to activate compression, for the same reasons as > mentioned above in this Section. > > Implementations MUST support a configuration where compression can be > easily disabled. > > Future extensions to NNTP that define commands conveying confidential > data SHOULD ensure to state that they SHOULD NOT be used along with > compression. > > Thanks again for your useful comments!
The main problem is not as much that the contents are compressed or not, but that known plain text and confidential data are compressed together. As such, I don't think it's usually necessary to disable it for confidential articles/newsgroups. What you need to avoid is that in the same compress session where you read the article with the steps to enter into the nuclear facility, you also read a different public article that the spies know you will read, as the compressed size will vary depending on the contents of the secret. Of course, if instead of a general text of relatively unknown length, the attacker knows that you will get a list of 100 nuclear launch codes, seeing how well did it compress might allow them to guess some of their properties. Regarding your draft, I would a) add a None algorithm b) allow compress to be called inside a compress session, replacing the previous one. Thus, a client would be able to COMPRESS DEFLATE, <read public groups>, COMPRESS NONE, <read secret article>, COMPRESS DEFLATE, <more public activity> Or even call COMPRESS DEFLATE, <read article A>, COMPRESS DEFLATE, <read article B> to ensure their contents are not compressed together. Best regards _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
