#645 Compression Oracle Attacks

Reporter kousu
Owner MattJ
Created
Updated
Stars ★ (1)
Tags
  • Component-Docs
  • Status-Fixed
  • Priority-Medium
  • Type-Defect
  1. kousu on

    http://prosody.im/doc/advanced_ssl_config#options suggests "Note: If you wish to enable SSL compression, please use the ssl_compression option instead (set it to true). However generally it is recommended to use XMPP compression instead for greater flexibility and performance.". The BEAST/CRIME attacks demonstrated that compression breaks encryption, a so called "Compression Oracle" e.g. http://security.stackexchange.com/questions/20216/should-i-disable-ssl-compression-because-of-crime. The basic attack is that if someone can inject known plaintext (e.g. by sending you messages, or even just sending your subscription requests with extra ignored attributes) and then observe that ciphertext from you shrinks in response, they know that your plaintext probably contained copies of their plaintext. I am not an expert on this, and I'm not sure how much and where this impacts Prosody, but that is precisely why I want to raise this issue and make sure you developers are aware. You should at least remove the recommendation to use SSL compression, and possibly disable both it and XMPP compression entirely, which is too bad because XMPP is kind of gaudy and benefits a lot from compression.

  2. tmolitor on

    See https://blog.thijsalkema.de/blog/2014/08/07/https-attacks-and-xmpp-2-crime-and-breach/ for a better explanation including examples.

  3. Zash on

    A big fat warning has been added to https://prosody.im/doc/advanced_ssl_config Neither of SSL or XMPP compression are enabled by default. I don't even think SSL compression is compiled in by modern distros anymore. If someone who knows what they are doing and are aware of the consequences really wants to enable SSL compression, using that option is better than overriding ssl.options in 0.9.x. In 0.10, options are handled better, but the entire 'ssl' config stanza is being deprecated in favor of a new simple and magical option.

    Changes
    • owner MattJ
  4. Zash on

    Changes
    • tags Status-Fixed Component-Docs
  5. kousu on

    That does look better, but I doubt it's generally safe to use any kind of compression with any kind of encryption. I don't have a proof of concept ready though to prove it, though.

New comment

Not published. Used for spam prevention and optional update notifications.