7. Security Considerations
The deflate algorithm is complex and hence prone to implementation
errors. In particular, certain inflate implementations are known
to not perform sufficient checking of their input stream and hence
may be vulnerable to certain forms of attack. Aside from this, the
new content-transfer-encodings specified in this document are believe
not to raise any security considerations not already present in MIME
itself.
<snip>
Huuu.... ;-)
I'm currently hacking up experimental support for this for KMail and
I've came across the fact that I can't give a maximum decoded size for
a given encoded size, although the following experiments suggest that
the decoded size converges to about ( 1000 * encoded size ) as encoded
size tends to infinity:
...
So there you have a nice DoS attack: send a 1M message with all "a"s and
deflate-8bit to someone you don't like and see his box grind to a halt
under the memory pressure of a 1G attachment....
Excellent point, and one that certainly needs to be mentioned in the
security considerations section. In fact this probably is something
that should be mentioned in the security considerations for the
similar content-encodings for HTTP, if it isn't already.
Ned