John Levine <johnl(_at_)taugh(_dot_)com> wrote:
I was hoping we could get this for free with TLS, but few libraries
implement it and https://en.wikipedia.org/wiki/CRIME seems to have made
them leary about it. I don't think SMTP is implicated because it doesn't
I agree that the CRIME cookie issue seems irrelevant to SMTP since
there isn't any context saved from one session to the next.
I'm not so sure.
You might be able to perform a CRIME attack against SMTP AUTH if you can
cause an AUTH user to send messages with envelope addresses under your
control, for instance if the AUTH user has an auto-responder.
f.anthony.n.finch <dot(_at_)dotat(_dot_)at> http://dotat.at/
Tyne, Dogger, Fisher, German Bight: West or southwest 7 to severe gale 9,
occasional storm 10 at first except in German Bight. Rough or very rough,
becoming high at times except in Tyne. Rain or showers. Good, occasionally
ietf-smtp mailing list