• bioemerl@kbin.social
    link
    fedilink
    arrow-up
    14
    arrow-down
    2
    ·
    edit-2
    1 year ago

    Don’t compress encrypted data since it opens you up to attacks like CRIME, unless it’s at rest and static data.

    • Mubelotix
      link
      fedilink
      arrow-up
      18
      arrow-down
      1
      ·
      1 year ago

      Encrypted data cannot be compressed anyway

    • bastian_5@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      17
      arrow-down
      2
      ·
      1 year ago

      If that’s true, what’s to stop someone else from just compressing it themself and opening the same attack vector?

      • harbor9964@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        Compressing what themselves? Compress then encrypt leaks information about the data being encrypted if an adversary can affect some part of the data being encrypted. If the data is at rest and repeated encryptions are needed , then this isn’t a concern.

        • bastian_5@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          13
          ·
          1 year ago

          Compress the encrypted data. You’re talking about encrypting compressed data, this was talking about compressing encrypted data.

          • bioemerl@kbin.social
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            Technically you would be fine to compress the encrypted data, but encrypted data doesn’t compress well so it’s not really worth your time

            • bastian_5@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Depends on if you’re using lossless or lossy compression. Lossless compression will usually make it bigger, because it relies entirely on data being formatted so their are common patterns or elements that can be described with fewer parts. Like, an ok compression algorithm for a book written in English and stored as Unicode would be to convert it to ASCII and have a thing that will denote Unicode if there happens to be anything that can’t convert. An encrypted version of that book would look indestinguishable from random characters, so compressing it at that point would just put that Unicode denoter before every single character, making the book end up taking more space.

              • bioemerl@kbin.social
                link
                fedilink
                arrow-up
                1
                ·
                1 year ago

                The problem is that when you compress before you encrypt, the file size becomes a source of data about the contents. If an attacker has control of part of the data - say - a query string, they can use that to repeatedly add things to your data and see how the size changes as a result.

                • bastian_5@sh.itjust.works
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  1 year ago

                  So it sounds like compression before encryption should only be done in specific circumstances because it can be a security issue depending on use case, but encryption before compression should never be done because it will almost always increase the size of the file