Found no discussion with my search here about CRIME an SMTP, so am I the first one who got a CRIME-vulnerability on smtp?
During a scan I got a "SSL/TLS Compression Algorithm Information Leakage Vulnerability" (QID: 38599)
As far as I have learned, it's a vulnerability about ssl-communication between a client (browser) and a webserver (over HTTPS).
But I got these vulnerability on a mailserver (smtp over ssl on port 465/tcp).
The documentation about these vulnerability says
"... the attacker needs to have ability to submit any plain text to compression and encryption process and observe the output to be able to exploit this vulnerability... "
Could there be a likewise technology to inject plain data to a (ssl-secured) smtp-server and get the compressed and encrypted output?
So does anybody knows a way to exploit these vulnerability on a secure (ssl-) connection to a smtp-server?
I found some diskussions on the internet and they all said "... smtp-server are not vulnerable to CRIME..."
So it seems to be a false positiv from my scanner (qualys)?!