[Ach] NO_COMPRESSION on postfix
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Dec 18 17:29:47 CET 2014
On 12/18/2014 06:55 AM, Aaron Zauner wrote:
> * Tim <tim at bastelfreak.de> [141218 10:27]:
>> you recommend "tls_ssl_options = NO_COMPRESSION" on postfix, can you
>> tell my why compression is a bad idea? I'm familiar with
>> https://en.wikipedia.org/wiki/CRIME but this seems to only apply on http?
> The BREACH attack works specifically on HTTP compression. CRIME
> applies to TLS compression in genereal. That being said CRIME won't
> work against SMTP.
I get that CRIME is designed to specifically target web cookies, but i
*don't* think that means it can't work against SMTP.
Consider the following scenario (i'm sure there are others):
* a network service is configured to e-mail alerts to an administrator
when Something Bad happens.
* the e-mailed alerts contain information about what happened.
* the e-mails contain other information which is (roughly) static but
sensitive (like service configuration details).
* the adversary can monitor the size of the traffic in the SMTP TLS stream.
* the adversary figures out how to cause the error to happen on the
network service, and can modify inputs to the error (e.g. they request a
web page with a bad URL, which causes the alert, which contains the URL).
* the adversary wants to know some service configuration details.
* the adversary triggers an adaptive series of errors (e.g. submitting
a series of URLs) based on the size of the resulting e-mail, to learn
some form of information about the service configuration.
I'm sure there are other kinds of scenarios where SMTP is at risk for
this kind of CRIME-ish attack.
keeping compression disabled is a good idea.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 949 bytes
Desc: OpenPGP digital signature
More information about the Ach