On Wed, Mar 16, 2016 at 6:14 PM, Paterson, Kenny <kenny.pater...@rhul.ac.uk> wrote: >>provokes me to bring it up. Here's the crux of it; is it really a >>security win to recommend the AEAD cipher suites for TLS 1.2 users?
I'm skeptical about the benefit of padding to 16 bytes. While it does increase the size classes in your Wikipedia example, Wikipedia pages trigger subresource loads, which also have a size and page-to-page navigation leaks more information. My takeaway from reading traffic-analysis papers over the years is that countermeasures are surprisingly difficult. On the other hand, the CBC cipher suites are fundamentally broken, rather slow and, in an attempt to fix them, are now very complex. So I don't believe that the benefits of padding to 16 bytes comes close to justifying the use of the CBC modes. Over the coming years I hope that CBC modes are killed off in the same fashion that RC4 now has been in several browsers. Padding at the application-level (e.g. HTTP) is probably the easiest, reasonable place to add padding (if there's a scheme with solid justification). Sure, one doesn't get "automatic" padding that using CBC modes might (somewhat) get you, but I still don't think CBC is a good tradeoff. Cheers AGL _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls