[Ach] NO_COMPRESSION on postfix

Thu Dec 18 17:29:47 CET 2014

On 12/18/2014 06:55 AM, Aaron Zauner wrote:
> * Tim <tim at bastelfreak.de> [141218 10:27]:

>> you recommend "tls_ssl_options = NO_COMPRESSION" on postfix, can you
>> tell my why compression is a bad idea? I'm familiar with
>> https://en.wikipedia.org/wiki/CRIME but this seems to only apply on http?
> 
> The BREACH attack works specifically on HTTP compression. CRIME
> applies to TLS compression in genereal. That being said CRIME won't
> work against SMTP. 

I get that CRIME is designed to specifically target web cookies, but i
*don't* think that means it can't work against SMTP.

Consider the following scenario (i'm sure there are others):

 * a network service is configured to e-mail alerts to an administrator
when Something Bad happens.

 * the e-mailed alerts contain information about what happened.

 * the e-mails contain other information which is (roughly) static but
sensitive (like service configuration details).

 * the adversary can monitor the size of the traffic in the SMTP TLS stream.

--------

Attack:

 * the adversary figures out how to cause the error to happen on the
network service, and can modify inputs to the error (e.g. they request a
web page with a bad URL, which causes the alert, which contains the URL).

 * the adversary wants to know some service configuration details.

 * the adversary triggers an adaptive series of errors (e.g. submitting
a series of URLs) based on the size of the resulting e-mail, to learn
some form of information about the service configuration.

-----

I'm sure there are other kinds of scenarios where SMTP is at risk for
this kind of CRIME-ish attack.

keeping compression disabled is a good idea.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20141218/6666e7c0/attachment.sig>