> Or maybe you can't draw that line because the upper layer stuff still has implications.
Yes. You gave the example of compression. One of the things you'll find inside HTTP/3 (not QUIC and not even TLS even though QUIC is underneath HTTP/3 and TLS provides the cryptography for QUIC) is an explicit design choice to compress each header separately because of BREACH.
Arguably the whole web stretches this point. It is common for cryptologists to discuss cryptography with the assumption that an adversary can choose to force participants to send messages of their choosing for them to observe the results - in many consumer applications this attack class seems pretty fanciful. But because of Javascript it's actually tremendously easy on the Web and we must prepare against or it expect bad guys to always win.
> if that means everything is in scope, what then?
Training. Your programming teams need appropriate skills and training to cope with the implications for their environment. You likely already train employees about what to do if there's a fire, or if a would-be supplier offers them Superbowl tickets, or their boss asks them for a blowjob, or the new head of marketing wants to email the user database to an ad exec or plenty of other things.
Most likely as a result they also need a trustworthy expert they can escalate any hard questions to. That could be somebody in-house at a big organisation or it could be out-sourced especially at smaller firms. Any questions they ask can help shape future training.
Yes. You gave the example of compression. One of the things you'll find inside HTTP/3 (not QUIC and not even TLS even though QUIC is underneath HTTP/3 and TLS provides the cryptography for QUIC) is an explicit design choice to compress each header separately because of BREACH.
Arguably the whole web stretches this point. It is common for cryptologists to discuss cryptography with the assumption that an adversary can choose to force participants to send messages of their choosing for them to observe the results - in many consumer applications this attack class seems pretty fanciful. But because of Javascript it's actually tremendously easy on the Web and we must prepare against or it expect bad guys to always win.
> if that means everything is in scope, what then?
Training. Your programming teams need appropriate skills and training to cope with the implications for their environment. You likely already train employees about what to do if there's a fire, or if a would-be supplier offers them Superbowl tickets, or their boss asks them for a blowjob, or the new head of marketing wants to email the user database to an ad exec or plenty of other things.
Most likely as a result they also need a trustworthy expert they can escalate any hard questions to. That could be somebody in-house at a big organisation or it could be out-sourced especially at smaller firms. Any questions they ask can help shape future training.