IETF Logo Mail Archive

Re: [dane] DANE and STARTTLS - indication of availability of encryption

Viktor Dukhovni <viktor1dane@dukhovni.org> Fri, 06 September 2013 15:50 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 567E611E81A5 for <dane@ietfa.amsl.com>; Fri, 6 Sep 2013 08:50:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[AWL=-0.104, BAYES_00=-2.599, J_CHICKENPOX_24=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b+IVuegSnDhx for <dane@ietfa.amsl.com>; Fri, 6 Sep 2013 08:50:22 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [208.77.212.107]) by ietfa.amsl.com (Postfix) with ESMTP id 8325811E8122 for <dane@ietf.org>; Fri, 6 Sep 2013 08:50:21 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 68E2B2AA9FC; Fri, 6 Sep 2013 15:50:16 +0000 (UTC)
Date: Fri, 06 Sep 2013 15:50:16 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20130906155016.GY29796@mournblade.imrryr.org>
References: <20130904144549.GA29796@mournblade.imrryr.org> <m3bo48885q.fsf@carbon.jhcloos.org> <20130905010924.GM29796@mournblade.imrryr.org> <CAF4kx8fq2oxNK2MiCCrNJUn-Qog+TXrHZ+ohj-vKFxpi+5PPEw@mail.gmail.com> <20130905212933.GI61351@mx1.yitter.info> <CAF4kx8etOjE8y4B9dq1dm6_5_8TOYHnp4v1r0bfT1SOr5im0mw@mail.gmail.com> <m3d2om5bt2.fsf@carbon.jhcloos.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <m3d2om5bt2.fsf@carbon.jhcloos.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] DANE and STARTTLS - indication of availability of encryption
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Sep 2013 15:50:27 -0000

On Fri, Sep 06, 2013 at 09:17:20AM -0400, James Cloos wrote:

> The idea of using the existence of an unsecured tlsa rr as a hint that
> tls must be used was, IIRC, discussed in the early days of this wg.

This is largely impractical for SMTP.  SMTP TLSA RRs are of course
tied to MX hosts (transport destinations), not email domains.  An
MITM can bypass any such cached RRs by sending malicious MX replies.

The TTLs on MX records are often relatively short (gmail.com is 1H)
so attacks don't require the attacker to wait long and for smaller
destination domains which don't receive a steady stream of traffic
from all senders, or when intercepting a low-volume sender, the
target MX RRset is often already expired from the cache due to
infrequent mail transmission.

Also any insecure data with a remotely specified TTL is a golden
opportunity for cache poisoning attacks.  Just set a very long TTL
with a bogus certificate association and the MITM attacker is set
for a long time.  In the mean time log entries show happily
authenticated connections, nobody is any the wiser unless they are
logging the underlying digests and looking for malicious changes.

I understand that it would be convenient if security could be
obtained more easily.  Sadly, there is a lower bound on the cost.

> Doing MX+TLSA queries as soon as the destination(s) are known so as to
> indicate the possibility of TLS (Trusted, Untrusted or Verified) can be
> a good idea.

What should an MTA do differently when insecure TLSA records are
found for one or more MX hosts, and why?

> But it tlsa existance is to be the key, it does seem best to demand that
> it be secured.

On this we agree.

> But please do publish the tlsa sooner rather than later.  Even though
> they likely will not get used in practice until the zones are signed,
> tests can still be done to ensure accuracy, and there won't have to be
> any delays post-signing.

A better test is to use non-production MX hosts in a signed zone.

	dane-test.gmail.com. IN MX 0 mx.dane-test.gmail.com.
	mx.date-test.gmail.com. IN A 192.0.2.1
	mx.date-test.gmail.com. IN TLSA 2 1 1 {sha256 pubkey hash}

then one can test verified connections to dane-test.gmail.com before
publishing TLSA RRs for the production zone.

-- 
	Viktor.

v2.29.0 | Report a Bug | By Email | System Status