Am 10.04.2014 15:04, schrieb Andreas Schulze: > Our "it-security" department asked me about Qualys warnings like > -> SSL/TLS Compression Algorithm Information Leakage Vulnerability > > As far as I learned it's compression inside ssl. > postfix-2.11 knows 'tls_ssl_options = no_compression' > ( see http://www.postfix.org/postconf.5.html#tls_ssl_options ) > > is the something comparable in dovecot too? > > Looks like most extensions in ssl exist only to be disabled :-/
that attacks are not relevant for email because they rely on the way a webbrowser works which is not the case for a mail client - you can't trigger XSS and Ajax in a MUA https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls >> This year, it's CRIME, a practical attack against how TLS is >> used in browsers. In a wider sense, the same attack conceptually >> applies to any encrypted protocol where the attacker controls >> what is being communicated
signature.asc
Description: OpenPGP digital signature
