ietf-smtp
[Top] [All Lists]

Re: [ietf-smtp] [Shutup] Compressing SMTP streams

2016-02-06 05:32:36
On Sat, Feb 06, 2016 at 11:15:54AM +0100, Aaron Zauner wrote:
Do you guys have any numbers on this? I.e. what the advantage and
compression ratio for your average mail traffic will be? I suspect
compression is helpful in SMTP but it may also introduce
vulnerabilities in combination with TLS. CRIME wasn't the only attack
on compression, there's also been application layer specific attacks
BREACH for example (breachattack.com). A team is currently working on
improving these attacks in application layer protocols, circumvent
counter-measures in clients et cetera (from a talk at             
RealWorldCrypto2016 -
https://drive.google.com/file/d/0Bzm_4XrWnl5zMkJJdHo0Rml4bXM/view?usp=sharing).
                                                                              
                                                                              
              

I think it's fair to say (as others have done already) that none of
these attacks work against SMTP as they all require the attacker to
force the client to make specific requests to the target.

But these attacks also show that compression and encryption don't go
well together. And crypto is hard and provides plenty of opportunities
to mess up. For that reason, I would suggest following TLS 1.3 and not
combine the two, as it would teach people bad habits.

Martijn.

Attachment: signature.asc
Description: Digital signature

_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp