Re: SSL compression

On Mon, 2021-11-08 at 13:30 +0530, Abhijit Menon-Sen wrote:
> At 2021-11-08 08:41:42 +0100, mjbaars1977.pgsql.hackers@gmail.com wrote:
> > Could someone please explain to me, why compression is being
> > considered unsafe / insecure?
> 
> https://en.wikipedia.org/wiki/CRIME
> 

Well Abhijit, personally I don't see any connection between crime and compression. I do see however, that some people
mightfeel safer communicating over an SSL
 
ENCRYPTED line doing their daily business, unjustified as that is, but they shouldn't be feeling safer communicating
overa compressed line, that would be
 
utterly stupid.

The sole purpose of compression is to reduce the size of a particular amount of data.

> > Might the underlying reason be, that certain people have shown
> > interest in my libpq/PQblockwrite algorithms (
> > https://www.postgresql.org/message-id/c7cccd0777f39c53b9514e3824badf276759fa87.camel%40cyberfiber.eu)
> > but felt turned down and are now persuading me to trade the algorithms
> > against SSL compression, than just say so please. I'll see what I can
> > do.
> 
> The whole world is trying to move away from TLS compression (which has
> been removed from TLS 1.3). It has nothing to do with you.

As I understand it, TLS is a predecessor of SSL. People are trying to move away from TLS, not from compression.

> 
> -- Abhijit