[Dovecot] dovecot: disable ssl compression
Jiri Bourek
bourek at thinline.cz
Thu Apr 24 06:30:14 UTC 2014
Andreas Schulze wrote:
>
> Reindl Harald:
>
>> https://www.ssllabs.com/ssltest/ just don't alow anything other than
>> https and port 443 - what reports are you speaking about?
> your free to configure pop3s/imaps/ssmtp on the "nonstandard" port 443
>
>>> I have to explain this message from Qualys as not
>>> relevant/harmless/cannot change
>>
>> so what - which fools are allowed to audit you while have
>> no clue what they are talking about?
> Qualys, they have more services than ssllabs.com
>
> see andreasschulze.de/tmp/qualys-id-38599.jpg
>
> Andreas
Well they seem to know what they are talking about. The description of
the threat in linked screenshot says "attacker needs to have ability to
submit any plain text"
The more interesting question is why do you need to explain to your
it-security people that compression in POP3 is not vulnerable to this
attack. I mean if they're in charge of security, the really should know
that.
More information about the dovecot
mailing list