[patch] more TLS configuration options for nnrpd
Julien ÉLIE
julien at trigofacile.com
Sun Nov 9 17:56:46 UTC 2014
Hi all,
>> I like having control for TLS settings; although sensible defaults are
>> generally much more impportant. But I do not understand why this
>> specific compression setting is unconditional. To exploit CRIME requires
>> a huge amount of carefully triggered, very similar, but slightly
>> different server responses. I see no way to exploit this in the Netnews
>> context.
>
> There are several places where the server will echo back a message ID
> given as input. LIST ACTIVE on a bunch of group names in the same
> hierarchy might do it as well. I'm not sure how close the responses need
> to be.
Would this CRIME exploit imply that using compression with encrypted
data is not secure? (Therefore, a possible COMPRESS command for the
NNTP protocol should not be used at the same time as an encrypted
layer... We would then have to choose between compression or encryption!)
--
Julien ÉLIE
« Confessio est regina probatio. »
More information about the inn-workers
mailing list