[Ach] NO_COMPRESSION on postfix

Aaron Zauner azet at azet.org
Thu Dec 18 19:00:24 CET 2014


* Daniel Kahn Gillmor <dkg at fifthhorseman.net> [141218 17:29]:
> On 12/18/2014 06:55 AM, Aaron Zauner wrote:
> > * Tim <tim at bastelfreak.de> [141218 10:27]:
> 
> >> you recommend "tls_ssl_options = NO_COMPRESSION" on postfix, can you
> >> tell my why compression is a bad idea? I'm familiar with
> >> https://en.wikipedia.org/wiki/CRIME but this seems to only apply on http?
> > 
> > The BREACH attack works specifically on HTTP compression. CRIME
> > applies to TLS compression in genereal. That being said CRIME won't
> > work against SMTP. 
> 
> I get that CRIME is designed to specifically target web cookies, but i
> *don't* think that means it can't work against SMTP.
> 
> Consider the following scenario (i'm sure there are others):
> 
>  * a network service is configured to e-mail alerts to an administrator
> when Something Bad happens.
> 
>  * the e-mailed alerts contain information about what happened.
> 
>  * the e-mails contain other information which is (roughly) static but
> sensitive (like service configuration details).
> 
>  * the adversary can monitor the size of the traffic in the SMTP TLS stream.
> 
> --------
> 
> Attack:
> 
>  * the adversary figures out how to cause the error to happen on the
> network service, and can modify inputs to the error (e.g. they request a
> web page with a bad URL, which causes the alert, which contains the URL).
> 
>  * the adversary wants to know some service configuration details.
> 
>  * the adversary triggers an adaptive series of errors (e.g. submitting
> a series of URLs) based on the size of the resulting e-mail, to learn
> some form of information about the service configuration.

While I agree in general. It'll take a *lot* of monitoring mails for
CRIME to work in this case. I'm also not certain if a full message
recovery will work (think of mail headers etc.).

But yes, that's beside the point, the Wikipedia page is actually
misleading regarding CRIME being a HTTP(S) specific attack. This was
just their demo purpose at the talk they were giving.

Actually I will try to work this our during my new assignment
starting in January. Thanks for the input. If you want to
collaborate, let me know.

> 
> -----
> 
> I'm sure there are other kinds of scenarios where SMTP is at risk for
> this kind of CRIME-ish attack.
> 
> keeping compression disabled is a good idea.

Absolutely.

Aaron

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20141218/89222c0f/attachment.sig>


More information about the Ach mailing list