Re: New Version Notification for draft-thomson-http-encryption-00.txt

On 12 May 2015 at 10:44, Poul-Henning Kamp <> wrote:
>         aesbla(gzip(plaintext))
> since that would leak information, and she should *absolutely not*
> be able to force this distinction herself by sending an
> Accept-Encoding header.

The current consensus is that applying compression before encryption
is not generically safe anyway.

  C-E: aesbla, gzip

is not equivalent to:

  C-E: gzip, aesbla

because order matters for C-E.  It describes the order of application
of the transforms.  That order is at the sole discretion of the
server.  I believe that A-E is not ordered in the same way, so
coercion doesn't seem to be an option.

I'm trying to understand what attack scenario you are describing (and failing).

I do appreciate the idea that a separate header field would allow us
to pin when encryption happens and avoid the footgun.

Received on Tuesday, 12 May 2015 17:50:39 UTC