Re: [dane] SMTP STARTTLS stripping in the wild

Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 03 December 2014 08:10 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94AED1A010C for <dane@ietfa.amsl.com>; Wed, 3 Dec 2014 00:10:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.3
X-Spam-Level: **
X-Spam-Status: No, score=2.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_12=0.6, J_CHICKENPOX_16=0.6, J_CHICKENPOX_22=0.6, J_CHICKENPOX_25=0.6, J_CHICKENPOX_26=0.6, J_CHICKENPOX_46=0.6, J_CHICKENPOX_84=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G7xtX9RE_fgg for <dane@ietfa.amsl.com>; Wed, 3 Dec 2014 00:10:33 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCAAD1A0110 for <dane@ietf.org>; Wed, 3 Dec 2014 00:10:32 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id C7B1F282D5F; Wed, 3 Dec 2014 08:10:31 +0000 (UTC)
Date: Wed, 3 Dec 2014 08:10:31 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20141203081031.GG285@mournblade.imrryr.org>
References: <alpine.LFD.2.10.1411131457140.25815@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.LFD.2.10.1411131457140.25815@bofh.nohats.ca>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/1MCr-AGK4QaRjBAga6YXtlEBXhY
Subject: Re: [dane] SMTP STARTTLS stripping in the wild
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Dec 2014 08:10:34 -0000

[ Resending, as this is not in the list archive, and Google does 
  not seem to find it anywhere.  Perhaps this never made it to the
  list.  I am hoping someone from Comcast will read past the TL;DR to
  the end of the message and deploy real keys for their MX hosts. ]

On Thu, Nov 13, 2014 at 02:59:04PM -0500, Paul Wouters wrote:

> https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks
> 
> 	"In recent months, researchers have reported ISPs in the US and Thailand
> 	 intercepting their customers' data to strip a security flag?called
> 	 STARTTLS?from email traffic."
> 
> 
> Thanks to Viktor, properly configured postfix clients deployed with DANE should
> detect this and refuse to send the email unencrypted.

Thanks for the nod in my direction.  Note however, that we still
need a lot more MTAs to adopt DNSSEC and publish TLSA RRs.  Please
encourage server operators to move forward.

However, my curated list stands at 337 domains, with:

    * 1 with expired RRSIGs
    * 2 with DS RRs that don't match the zone keyset
    * 1 with an incorrect TLSA RR post key rotation
    * 1 with an incorrect TLSA usage (2 instead of 3).

[ FWIW, since Nov 13th the working domain count has reached 441. ]

In addition I've run into 8 domains with PKIX-EE(1) TLSA RRs which
are not "usable" for SMTP.  Therefore, I'd like to suggest that
while system operators should adopt SMTP with DANE, they should
not do so as "fashion statement".  Do it right, or don't do it at
all.  Having a bunch of published broken domains discourages others
from deploying and creates headaches for those who've enabled
verification.

The error rate would have been higher, were it not for some successes
in notifying most of the problem domains of their mistakes, with
almost all fixing the problem as a result.

Once the new testing site is up and running, I'm hoping we can
successfully "market" it to would-be SMTP with DANE operators, and
avoid most mistakes in the future.

The site will support testing of live systems (catch mistakes after
the fact) and testing of planned configurations (catch mistakes
before they happen).

A Cable operator in Germany with ~500K users has enabled DANE.

IIRC a Comcast engineer was present at the DANE meeting yesterday.
Since the comcast.net zone is signed, I was hoping that a good step
in the same direction might have been.

    _25._tcp.mx1.comcast.net. IN TLSA 3 1 1 3D0CE5F401FE33EFA5ADB136D1E6EDAFBD72DB82FEC50E3CB69CF0943ACBA8D4
    _25._tcp.mx2.comcast.net. IN TLSA 3 1 1 3D0CE5F401FE33EFA5ADB136D1E6EDAFBD72DB82FEC50E3CB69CF0943ACBA8D4

Sadly the certificates in question appear to be from a stock keypair:

    Certificate:
	Data:
	    Version: 3 (0x2)
	    Serial Number: 2 (0x2)
	Signature Algorithm: sha1WithRSAEncryption
	    Issuer: C=US, O=Sample, Inc., OU=IT Team, CN=CA
	    Validity
		Not Before: Nov 18 14:58:26 2010 GMT
		Not After : Nov 15 14:58:26 2020 GMT
	    Subject: C=US, O=Sample, Inc., OU=IT Team, CN=Server
	    Subject Public Key Info:
		Public Key Algorithm: rsaEncryption
		    Public-Key: (1024 bit)
		    Modulus:
			...
		    Exponent: 65537 (0x10001)
	    X509v3 extensions:
		X509v3 Basic Constraints:
		    CA:FALSE
		Netscape Comment:
		    Sample server certificate, do not use on production systems!
    ...

Likely same key previously noted in:

    http://markgamache.blogspot.com/2014_01_01_archive.html
    https://community.virginmedia.com/t5/Email/Sample-server-certificate-do-not-use-on-production-systems/td-p/2142440

So we still have some way to go.

-- 
	Viktor.