Am 10.04.2014 15:04, schrieb Andreas Schulze:> Our "it-security" department asked me about Qualys warnings like
> -> SSL/TLS Compression Algorithm Information Leakage Vulnerability
>
> As far as I learned it's compression inside ssl.
> postfix-2.11 knows 'tls_ssl_options = no_compression'
> ( see http://www.postfix.org/postconf.5.html#tls_ssl_options )
>
> is the something comparable in dovecot too?
>
> Looks like most extensions in ssl exist only to be disabled :-/
that attacks are not relevant for email because they
rely on the way a webbrowser works which is not the
case for a mail client - you can't trigger XSS and
Ajax in a MUA
https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls
>> This year, it's CRIME, a practical attack against how TLS is
>> used in browsers. In a wider sense, the same attack conceptually
>> applies to any encrypted protocol where the attacker controls
>> what is being communicated
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20140410/0d786286/attachment.sig>