Implement TLS 1.3 random record padding

[candrews]

The TLS specification (RFC 8446) section 5.4 defines optional Record Padding.

As a security improvement, I suggest that curl implement random record padding.

Record padding is primarily applicable to server as a way to mitigate vulnerabilities such as CRIME and BREACH that involve compression and reflection. But, who knows - there may be some future vulnerability that random record padding will address on the client - it couldn't hurt :)

In OpenSSL, this is done using SSL_CTX_set_record_padding_callback

[jay]

it couldn't hurt :)

I'm not really feeling this one. I'm concerned about the already tenuous situation with middleboxes.

[candrews]

Wouldn't middle boxes already be a problem for TLS 1.3 then?

Perhaps a flag/configuration option to optionally enable this would be nice, then down the line if all goes well, it could be enabled by default?

[jay]

Wouldn't middle boxes already be a problem for TLS 1.3 then?

There is middlebox compatibility in OpenSSL (and I assume others).

Perhaps a flag/configuration option to optionally enable this would be nice, then down the line if all goes well, it could be enabled by default?

I don't see a reason to do it by default. We may end up lessening security and compatibility for no good reason. It might allow for a vulnerability instead of preventing one. I really don't know what will happen. As an option I expect it would very obscure, this is the first I'm hearing of it. You could use CURLOPT_SSL_CTX_FUNCTION if you want it.

[bagder]

Padding is in general a thing people invent when designing protocols and then nobody actually uses when running them since they're a waste of bandwidth. I suspect that's why we've never seen a demand for padding for TLS before.

[Seirdy]

@bagder True, it does use more bandwidth. However, this doesn't universally disqualify the use of TLS record padding. Plenty of smaller requests for static content would benefit from record padding, as it impedes traffic analysis: less consistent/unique record sizes make it more difficult for an eavesdropper to infer which pages a user visits. Websites that disable compression due to security concerns would probably be okay with tradeoff. I imagine that there'd be some extra interest among Tor users.