On Sun, Nov 27, 2016 at 03:13:04PM +0000, Alessandro Ghedini wrote:
> On Sat, Nov 26, 2016 at 11:42:20PM -0500, Victor Vasiliev wrote:
> > I am currently trying to figure out how much of QUIC certificate
> > compression can be adapted to work with TLS. I will submit a draft as soon
> > as I have a working prototype.
>
> FWIW I too have started working on a prototype for gzip compressing
> certificates
> based on BoringSSL:
> https://github.com/ghedo/boringssl/tree/cert_compress
>
> It's not complete yet and I only implemented compression so far based on what
> Chromium does with QUIC. I also haven't really tested it yet (but at least it
> builds AFAICT :) ).
>
> I'd like to do some tests as well to measure the benefits of this (e.g.
> download certificates from CT logs and see how effective the compression is).
My concerned is that any packet size benefit from compressing
certificates with gzip is likely not worth the CPU cost and attack
surface of performing the compression and uncompression.
FWIW, my long-standing practice is to not link the SSL library with
zlib. I was doing this as a matter of hygiene, long before the
various attacks on (application payload) compression were reported.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
