[Top] [All Lists]

Re: [ietf-smtp] [Shutup] Compressing SMTP streams

2016-02-09 04:48:30
Martijn Grooten <martijn(_at_)lapsedordinary(_dot_)net> wrote:

I can't see how a CRIME-like attack on SMTP+TLS could work either.

If you can identify an auto-responder which sends using SMTP AUTH PLAIN or
LOGIN, and if the SMTP AUTH and message envelope are in the same
compression context, you can use the coupling between the credentials and
your choice of recipient address to attack the credentials. Everything
else in the SMTP transaction up to that point is fixed.

f.anthony.n.finch  <dot(_at_)dotat(_dot_)at>
Viking, North Utsire: Westerly at first in south, otherwise cyclonic, becoming
northerly later in Viking, 5 or 6. Moderate or rough. Showers. Good.

ietf-smtp mailing list