[Top] [All Lists]

Re: [ietf-smtp] ALPN

2021-07-29 01:39:36
On Thursday 29 July 2021 06:46:32 CEST, Claus Assmann wrote:
On Wed, Jul 28, 2021, John Levine wrote:

I have trouble imagining an actual threat, and even more trouble imagning
one where an ALPN would make any difference.

Isn't this what "ALPACA" is about?

ALPN defends against that attack by making other ALPNs different from what code running on the VM inside a web browser requires.

In this case, we're talking about whether there is one different ALPN or four. Either case suffices to protect email servers from being involved in attacks against web browsers.

Four means that a malevolent server cannot fool code that expects to connect to an IMAP server into connecting to an SMTP server and revealing secrets (e.g. by sending an APPEND command). But IMAP clients don't run server-supplied code, and don't contain VMs that could protect against malevolent server-supplied code by checking ALPN.

I like having one ALPN identifier rather than four, since it requires a smaller change to email clients that share/reuse code for using TLS within different protocols,


ietf-smtp mailing list

<Prev in Thread] Current Thread [Next in Thread>