The threat model is this: the Mallory controls some number of bytes in a web page. Can she exfiltrate data about Alice's session (e.g., bank account number) by only knowing the size of the compressed payload and modifying her portion of the content?
For this purpose, TLS is a fixed-sized modification:
|TLS(m)| = |m| + k
for a constant k. So it doesn't meaningfully impact this attack: you can do it with just compression and no encryption.
Compression is useful when the cost of sending bytes exceeds the cost to decompress. If you start padding compression back to the original payload length, you no benefit to compressing in the first place. If instead you introduce a random amount of padding, this adds overhead both to decompression and in transfer, at a marginal benefit to security (the attacker needs more requests -- either to recover a larger portion of the secret's context, or to control for the random noise).
The threat model is this: the Mallory controls some number of bytes in a web page. Can she exfiltrate data about Alice's session (e.g., bank account number) by only knowing the size of the compressed payload and modifying her portion of the content?
For this purpose, TLS is a fixed-sized modification:
|TLS(m)| = |m| + k
for a constant k. So it doesn't meaningfully impact this attack: you can do it with just compression and no encryption.
Compression is useful when the cost of sending bytes exceeds the cost to decompress. If you start padding compression back to the original payload length, you no benefit to compressing in the first place. If instead you introduce a random amount of padding, this adds overhead both to decompression and in transfer, at a marginal benefit to security (the attacker needs more requests -- either to recover a larger portion of the secret's context, or to control for the random noise).
This is also a cryptopals exercise:
https://cryptopals.com/sets/7/challenges/51