On 13 feb. 2014, at 01:04, Peter Saint-Andre <[email protected]> wrote:
> While working on draft-sheffer-uta-tls-attacks with Yaron Sheffer this week, > he pointed out to me that the TIME and BREACH attacks might apply to > application-layer compression technologies such as XEP-0138 for XMPP. I > haven't looked into that in detail yet, but I figured I'd raise the issue > here for discussion. Depends on what data you consider secret. Passwords shouldn't be in the compressed stream, per XEP-0170. Other highly sensitive data can be your contact list and the contents of your messages. Both of these an attacker should not be able to trigger retransmissions of, which complicates attacking them. But it's likely the attacker will be able to extract information like "is [email protected] on your roster?", "did you receive a message from [email protected] in the past 32 kB?" (the zlib window size) or "did you receive a message that included the phrase 'thermonuclear war' in the last 32 kB?". Thijs
signature.asc
Description: Message signed with OpenPGP using GPGMail
