Re: SSL compression

On Mon, 2021-11-08 at 13:30 +0530, Abhijit Menon-Sen wrote:
> At 2021-11-08 08:41:42 +0100, mjbaars1977(dot)pgsql(dot)hackers(at)gmail(dot)com wrote:
> > Could someone please explain to me, why compression is being
> > considered unsafe / insecure?
>
> https://en.wikipedia.org/wiki/CRIME
>

Well Abhijit, personally I don't see any connection between crime and compression. I do see however, that some people might feel safer communicating over an SSL
ENCRYPTED line doing their daily business, unjustified as that is, but they shouldn't be feeling safer communicating over a compressed line, that would be
utterly stupid.

The sole purpose of compression is to reduce the size of a particular amount of data.

> > Might the underlying reason be, that certain people have shown
> > interest in my libpq/PQblockwrite algorithms (
> > https://www.postgresql.org/message-id/c7cccd0777f39c53b9514e3824badf276759fa87.camel%40cyberfiber.eu)
> > but felt turned down and are now persuading me to trade the algorithms
> > against SSL compression, than just say so please. I'll see what I can
> > do.
>
> The whole world is trying to move away from TLS compression (which has
> been removed from TLS 1.3). It has nothing to do with you.

As I understand it, TLS is a predecessor of SSL. People are trying to move away from TLS, not from compression.

>
> -- Abhijit