On 11/12/14, 6:55 AM, Dave Cridland wrote:
On 12 November 2014 13:49, Kevin Smith <[email protected] <mailto:[email protected]>> wrote: I’ve been asked if the XSF can issue a recommendation re: the use of compression and TLS. Ignoring for a moment what a vehicle for issuing such a recommendation might be, what would we recommend? It's not clear to me we should be making an explicit recommendation - after all the closest we can reasonably say to a definitive recommendation is "you probably ought to think about whether you really need compression". The subject of updating XEP-0138 to discuss the impact of compression-based attacks on encryption, though, has come up before. My understanding is that we would recommend that compression is not used where it’s not necessary. Can it ever sensibly be used? If you had to choose one, which would it be? I think the XSF should just describe the possible attacks, and any mitigations.
That at least is a good first step. We might want to do more afterward, though (depending on how serious we think the attacks are).
Peter -- Peter Saint-Andre https://andyet.com/
