Hi Peter,
At 16:18 08-04-2014, Peter Saint-Andre wrote:
Before we released the security note about application-layer
compression last week [1] (which now seems to have been overshadowed
by the heartbleed bug in OpenSSL), I started to work on some updates
to XEP-0138. Here is my proposed text for the Security Considerations section:
When I read the advisory I was reminded of an old issue which caused
a similar Denial of Service attack. I wondered why we did not learn
anything from the past. Anyway, some of the suggested guidelines are
to leave it to the administrator to turn on compression and setting
defaults to avoid high resource consumption. Shouldn't that be
addressed at the TLS level as it provides the functionality, with a
relevant pointer in XEP-0138 so that the warning is not overlooked?
Regards,
-sm
