Re: [Shutup] [ietf-smtp] Compressing SMTP streams

Aaron Zauner <> Sat, 06 February 2016 10:16 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B0EEF1B2A5E for <>; Sat, 6 Feb 2016 02:16:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=unavailable
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sy4HUbzfLGe6 for <>; Sat, 6 Feb 2016 02:16:04 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 037FA1B2A5C for <>; Sat, 6 Feb 2016 02:16:04 -0800 (PST)
Received: by with SMTP id p63so56501392wmp.1 for <>; Sat, 06 Feb 2016 02:16:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gmail; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to; bh=HINgk40U0ujso2EZaYo9H2oEl9IZQbgnMf1nJDSWNx8=; b=b0Z3Ys0xpFmID8D+o/uNN8KXf6H3zhu81BjqjvIYf8GIYa3/br8q7pj3vpf9lHA4Oh 3AQMjyX4LLLLu4Fxxg5npjx/n1X42Hdqj/QqxYFAHE8hIDpi6gGRxD3Elxxk2KUQGGaB bq3WP6cH7nlkXmiCVosheqjK9H0KMtKHvTHIQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:subject:mime-version:content-type:from :in-reply-to:date:cc:message-id:references:to; bh=HINgk40U0ujso2EZaYo9H2oEl9IZQbgnMf1nJDSWNx8=; b=BSfXRKcrTv0CWGo3cCp9vKPCfEIJCJ8cM/5S45S0Mvs5Iv/+38Ykc1JwCIVFrscvyl NP7RWXDd206in7zweHowFvwcjr7waqOpEC29mS3IA54RUEJ0JSOzMgbYCRFTuCrC6cMb E5tD5sHYSaRRXwkJPb+5Z9GnaFrI8xkdhqai74fdfAQ7sxtaN6n1cwTftuj/tVyvh/Ud /6JQUNUnPYhmat7mvnn1steq/b1TxSk0ZuZEJNhMOyOebOusO5fV2qYJ/thRF/rqA8vv 2p7dMXzDeFfqA1i+KIGmkYBNmHtP39TmpsssnaEmKD0G1gJBd+ycVbkezhOHzNaXf/gU a3Uw==
X-Gm-Message-State: AG10YOQ7BzDlm4/9mBSZUlE/2Ja3lrkv+IYKwHSth3crSt4VSs0EKzbW35DONUgHEAoeKw==
X-Received: by with SMTP id 192mr22471468wmw.1.1454753762556; Sat, 06 Feb 2016 02:16:02 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id i1sm4773568wjs.45.2016. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 06 Feb 2016 02:16:01 -0800 (PST)
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
Content-Type: multipart/signed; boundary="Apple-Mail=_64A7A392-F2C4-4D3E-AA9C-8A21A8531024"; protocol="application/pgp-signature"; micalg=pgp-sha512
X-Pgp-Agent: GPGMail 2.6b2
From: Aaron Zauner <>
In-Reply-To: <20160129180713.51570.qmail@ary.lan>
Date: Sat, 6 Feb 2016 11:15:54 +0100
Message-Id: <>
References: <20160129180713.51570.qmail@ary.lan>
To: John Levine <>
X-Mailer: Apple Mail (2.3112)
Archived-At: <>
Subject: Re: [Shutup] [ietf-smtp] Compressing SMTP streams
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 06 Feb 2016 10:16:05 -0000


> On 29 Jan 2016, at 19:07, John Levine <> wrote:
>> Compression has been removed completely from TLS v1.3, the outcome of
>> the room consensus at IETF-89.
> Bummer.

No, it's a security *feature*.

> Well, in that case, here's a straw man proposal.
> The extension name is COMPRESS, the EHLO keyword is COMPRESS and is
> followed by a space-separated list of compression schemes, currently
> consisting only of DEFLATE (RFC 1951.)
> There's one new command, COMPRESS which takes as an argument the type
> of compression to be used.  If you want to do both STARTTLS and
> COMPRESS, the results of doing COMPRESS before STARTTLS are
> aggessively undefined.
> The responses to COMPRESS are:
> 500 compress not supported
> 501 compression scheme unknown
> 220 go ahead

I'm strongly opposed to this.

Do you guys have any numbers on this? I.e. what the advantage and compression ratio for your average mail traffic will be? I suspect compression is helpful in SMTP but it may also introduce vulnerabilities in combination with TLS. CRIME wasn't the only attack on compression, there's also been application layer specific attacks - BREACH for example ( A team is currently working on improving these attacks in application layer protocols, circumvent counter-measures in clients et cetera (from a talk at RealWorldCrypto2016 -

Another problem with SMTP extensions is that mail daemons are rarely updated thus it takes quite some years to have real support on the internet.