- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Tue, 12 May 2015 10:50:12 -0700
- To: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Cc: Amos Jeffries <squid3@treenet.co.nz>, Willy Tarreau <w@1wt.eu>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 12 May 2015 at 10:44, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: > aesbla(gzip(plaintext)) > > since that would leak information, and she should *absolutely not* > be able to force this distinction herself by sending an > Accept-Encoding header. The current consensus is that applying compression before encryption is not generically safe anyway. C-E: aesbla, gzip is not equivalent to: C-E: gzip, aesbla because order matters for C-E. It describes the order of application of the transforms. That order is at the sole discretion of the server. I believe that A-E is not ordered in the same way, so coercion doesn't seem to be an option. I'm trying to understand what attack scenario you are describing (and failing). I do appreciate the idea that a separate header field would allow us to pin when encryption happens and avoid the footgun.
Received on Tuesday, 12 May 2015 17:50:39 UTC