> On 06 Feb 2016, at 12:32, Martijn Grooten <[email protected]> wrote: > > On Sat, Feb 06, 2016 at 11:15:54AM +0100, Aaron Zauner wrote: >> Do you guys have any numbers on this? I.e. what the advantage and >> compression ratio for your average mail traffic will be? I suspect >> compression is helpful in SMTP but it may also introduce >> vulnerabilities in combination with TLS. CRIME wasn't the only attack >> on compression, there's also been application layer specific attacks >> BREACH for example (breachattack.com). A team is currently working on >> improving these attacks in application layer protocols, circumvent >> counter-measures in clients et cetera (from a talk at >> RealWorldCrypto2016 - >> https://drive.google.com/file/d/0Bzm_4XrWnl5zMkJJdHo0Rml4bXM/view?usp=sharing). > > I think it's fair to say (as others have done already) that none of > these attacks work against SMTP as they all require the attacker to > force the client to make specific requests to the target.
Well, yes. You just can't do JavaScript via SMTP (yet) :) > But these attacks also show that compression and encryption don't go > well together. And crypto is hard and provides plenty of opportunities > to mess up. For that reason, I would suggest following TLS 1.3 and not > combine the two, as it would teach people bad habits. There aren't that many people looking into this, with renewed research efforts I fear that these attacks may improve significantly. The authors of mentioned work on improving these attacks explicitly mentioned other application layer protocols than HTTP(S) in the Q/A after the talk. They will also be presenting new attacks at upcoming conferences. As I see it - adding compression might reduce traffic load for some providers but at the same time may introduce new vulnerabilities in the future to already poorly-secured protocols like SMTP. Aaron
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Shutup mailing list [email protected] https://www.ietf.org/mailman/listinfo/shutup
