On Sun, Sep 20, 2015 at 11:02:19AM +0200, Julien ÉLIE wrote:
> Though I've read a few pages explaining how CRIME and BEAST attacks work, I
> still do not see well how TLS-level compression would make NNTP vulnerable.
> Same thing for POP or IMAP I believe.
>
> The news server does not leak information. The responses are just OK or KO.
> For instance:
>
> AUTHINFO USER test
> 381 Enter password
> AUTHINFO PASS test
> 281 Authentication succeeded
>
> or in the case of an authentication failure:
>
> AUTHINFO USER test
> 381 Enter password
> AUTHINFO PASS badpassword
> 481 Authentication failed
>
>
>
> How compression would make NNTP weaker?
> (Brute-force attack is still necessary, even with compression enabled.)
Consider what happens when data that follows authentication (in
sunsequent message bodies) either does or does not match some part
of the password...
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
