Robert Wilton's HTTP/3 Comment 4

[LPardue]

@rgwilton said

10.6. Use of Compression

Implementations communicating on a secure channel MUST NOT compress content that includes both confidential and attacker-controlled data unless separate compression contexts are used for each source of data. Compression MUST NOT be used if the source of data cannot be reliably determined.

This wasn't entirely clear to me. I presume (perhaps wrongly) that the issue is about the use of compression before the confidential data has been encrypted. I.e., I would presume that compressing a stream of data that includes both encrypted and non encrypted data is okay? Perhaps this could be clarified.

[MikeBishop]

The issue is about guess-and-check attacks, mentioned in the previous paragraph. If there's a mixture of confidential and attacker-controlled data in the same context, the attacker can guess a value and then see if the resulting compressed data is shorter because their guess was compressed against the confidential value. The requirement is that data from different sources be maintained in separate contexts so the attacker can't check its guesses against the confidential value.

Encryption is relevant here only because the attacker can't simply observe the data stream to get the confidential information.

[rgwilton]

On reading it again, the existing text is probably clear enough, so you can close this issue.