People have beens mailing around vast numbers of DMARC reports, most
of which have an application/gzip body. If there have been attacks
using DEFLATE bugs, nobody's gotten around to reporting them.
I'm not much worried about attacks on DEFLATE and SMTP traffic. But as I
understand from the draft, there's also an option to report back via
HTTPS. Here DEFLATE may become a security issue.
I don't see why. HTTP has had gzip encoding since http/1.0 twenty years
ago, but I only defined application/gzip for mail in 2012. Your browser
probably decodes deflated pages dozens of times a day.
Also, remember the DMARC experience, that in practice nobody is interested
in http reports if they can send mail. You might ask around and see if
you can find anyone who would send http reports if they had the option to
do so. I implemented the http option from the DMARC draft (sort of, given
that the draft language was a mess) and the number of attempts I saw was
zero.
Regards,
John Levine, [email protected], Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
