Re: [dane] SMTP STARTTLS stripping in the wild

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 14 November 2014 03:22 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B1741A6EE0 for <dane@ietfa.amsl.com>; Thu, 13 Nov 2014 19:22:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.495
X-Spam-Level:
X-Spam-Status: No, score=-2.495 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z0bGPCfNoMBi for <dane@ietfa.amsl.com>; Thu, 13 Nov 2014 19:22:08 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66A571A6EDC for <dane@ietf.org>; Thu, 13 Nov 2014 19:22:08 -0800 (PST)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id EC7BF20098 for <dane@ietf.org>; Thu, 13 Nov 2014 22:24:19 -0500 (EST)
Received: by sandelman.ca (Postfix, from userid 179) id AA2B4637F4; Thu, 13 Nov 2014 22:22:07 -0500 (EST)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 94FCE637EA for <dane@ietf.org>; Thu, 13 Nov 2014 22:22:07 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: dane@ietf.org
In-Reply-To: <20141114004313.8557.qmail@ary.lan>
References: <20141114004313.8557.qmail@ary.lan>
X-Mailer: MH-E 8.2; nmh 1.3-dev; GNU Emacs 23.4.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature"
Date: Thu, 13 Nov 2014 22:22:07 -0500
Message-ID: <32476.1415935327@sandelman.ca>
Sender: mcr@sandelman.ca
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/7ctZkt6Ml36Nu-zUz3vMPaqaqHM
Subject: Re: [dane] SMTP STARTTLS stripping in the wild
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Nov 2014 03:22:12 -0000

John Levine <johnl@taugh.com> wrote:
    >> https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks
    >> 
    >> "In recent months, researchers have reported ISPs in the US and
    >> Thailand intercepting their customers' data to strip a security
    >> flag—called STARTTLS—from email traffic."
    >> 
    >> Thanks to Viktor, properly configured postfix clients deployed with
    >> DANE should detect this and refuse to send the email unencrypted.

    > This is an anti-spam measure on port 25 traffic on a few mobile
    > networks.  I expect there aren't a lot of copies of Postfix running on
    > mobile devices.  For all those other mobile users, if they're

Any person with a laptop with postfix on it being "tethered" might do this.
I do it regularly; I don't do direct delivery, but do authenticated (via
STARTTLS cert) relaying to a machine in the cloud... I have been using port
26 for this for a decade plus due to port 25 being blocked.

While the submit port might make sense, it was easier to configure this
as straight SMTP.

At least, if this happened to me, the relay would refuse to accept my email,
since it wasn't authenticated; I don't think that I force TLS on the client,
but I probably could.

It's not unusual for an entire office to wind up tethered to someone's mobile
device (or mifi) when a backhoe event occurs.

{and I'm happy to relay for friends and family}


-- 
Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-