> On 05 May 2016, at 22:04, John R Levine <[email protected]> wrote: > >>> People have beens mailing around vast numbers of DMARC reports, most >>> of which have an application/gzip body. If there have been attacks >>> using DEFLATE bugs, nobody's gotten around to reporting them. >> >> I'm not much worried about attacks on DEFLATE and SMTP traffic. But as I >> understand from the draft, there's also an option to report back via HTTPS. >> Here DEFLATE may become a security issue. > > I don't see why. HTTP has had gzip encoding since http/1.0 twenty years ago, > but I only defined application/gzip for mail in 2012. Your browser probably > decodes deflated pages dozens of times a day.
Exactly. And this is an open security issue today. It's the reason why people needed to come up with 'first party cookies'. https://github.com/dionyziz/rupture > Also, remember the DMARC experience, that in practice nobody is interested in > http reports if they can send mail. You might ask around and see if you can > find anyone who would send http reports if they had the option to do so. I > implemented the http option from the DMARC draft (sort of, given that the > draft language was a mess) and the number of attempts I saw was zero. I think STS is quite different from DMARC if many respects, but I'm interested in the authors opinions on that - would they prefer mail delivery or https? does it depend on deployment/hosting environment etc. Aaron
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
