Re: [dane] SMTP STARTTLS stripping in the wild

"John Levine" <johnl@taugh.com> Fri, 14 November 2014 00:43 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A8881A1A07 for <dane@ietfa.amsl.com>; Thu, 13 Nov 2014 16:43:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.037
X-Spam-Level:
X-Spam-Status: No, score=-1.037 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NtL2xlDXWdQ8 for <dane@ietfa.amsl.com>; Thu, 13 Nov 2014 16:43:37 -0800 (PST)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0656B1A19F8 for <dane@ietf.org>; Thu, 13 Nov 2014 16:43:36 -0800 (PST)
Received: (qmail 48404 invoked from network); 14 Nov 2014 00:43:35 -0000
Received: from miucha.iecc.com (64.57.183.18) by mail1.iecc.com with QMQP; 14 Nov 2014 00:43:35 -0000
Date: 14 Nov 2014 00:43:13 -0000
Message-ID: <20141114004313.8557.qmail@ary.lan>
From: "John Levine" <johnl@taugh.com>
To: dane@ietf.org
In-Reply-To: <alpine.LFD.2.10.1411131457140.25815@bofh.nohats.ca>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/Yms5oVLjRgFXh28lKiyDXfhWQXA
Cc: paul@nohats.ca
Subject: Re: [dane] SMTP STARTTLS stripping in the wild
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Nov 2014 00:43:38 -0000

>https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks
>
> 	"In recent months, researchers have reported ISPs in the US and Thailand
> 	 intercepting their customers' data to strip a security flag—called
> 	 STARTTLS—from email traffic."
>
>Thanks to Viktor, properly configured postfix clients deployed with DANE should
>detect this and refuse to send the email unencrypted.

This is an anti-spam measure on port 25 traffic on a few mobile
networks.  I expect there aren't a lot of copies of Postfix running
on mobile devices.  For all those other mobile users, if they're
configured correctly they're submitting over port 587 or 465, and
nobody tries to filter that.

R's,
John