[dmarc-ietf] ARC-Seal is meaningless security theatre
Bron Gondwana <brong@fastmailteam.com> Mon, 07 August 2017 05:21 UTC
Return-Path: <brong@fastmailteam.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D401212942F for <dmarc@ietfa.amsl.com>; Sun, 6 Aug 2017 22:21:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.72
X-Spam-Level:
X-Spam-Status: No, score=-2.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmailteam.com header.b=DKfq/DtA; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=gIvGLFji
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W3-jSbPGa9vw for <dmarc@ietfa.amsl.com>; Sun, 6 Aug 2017 22:21:28 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EC1A1287A5 for <dmarc@ietf.org>; Sun, 6 Aug 2017 22:21:28 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id E0A6720C45 for <dmarc@ietf.org>; Mon, 7 Aug 2017 01:21:27 -0400 (EDT)
Received: from web5 ([10.202.2.215]) by compute6.internal (MEProxy); Mon, 07 Aug 2017 01:21:27 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= fastmailteam.com; h=content-transfer-encoding:content-type:date :from:message-id:mime-version:subject:to:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=gGoyjlUM+F0pvGYV5HTiGtG4OdTnuLozFeykP6Lx2 Rs=; b=DKfq/DtA60mOoFSSJt1j1oAsX7hicVhuhb4ry1itmB2QuHefAkCCEeDD3 PFrEdQiEzuVhGPVrlZnD6o31NzeZCtoB7TLlAlrvofNkeTFqWcJKZfMpj3UkfuSL miCFFo/xeRR3XDQge0aGZiFZTdSoqzOFQHnVbpHmEmO32ek5MAAX0vXxh/7g1z4t nH6l3fkfUWHxVPn5SIHWWzLwbhUSq/e8oVPjexryVFRYnv6fyl+RrzHBembS30tO cksPetGewCwGqeW2VkHo57eqK6kSdsToWJkuBf1aePaxHhHvCNO3XPF7NNF7n1tJ KpKi3CtIKyxH4lZLPij9g+q16/pzg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=gGoyjlUM+F0pvGYV5HTiGtG4OdTnu LozFeykP6Lx2Rs=; b=gIvGLFjiAFXTtUoekmhMPcvEW68zkp+/6rYULVNFeUG01 vRDNU+9Ts+rLD5SFO9dZW6LHccyfFPrp1+YhdVrRJg93EE8rGyiFwUtQUtms6P1M tsI9kBvi+F5Zkz34TgXayGDqmvm2MzDvmBZskb2qIlwSJi1gbfUDqYVBJxbhR02a QDvUJm5j+6orSNteZdYfw7hkh85XcV4S09WKBMnq7tU8DAjnvZnVhs7Mkgb4OYZ4 pPoTb6bFh1fuWj+8t3xdai4G9VyBOK/Eaw9A0IVmsyTQifW3Y1KDUKCGqjXAlfVw GERhxDJRUdkMyWGZdC7wW36QylokGKNzU8TTC7PtQ==
X-ME-Sender: <xms:1_iHWYJhj1l3kEOI5zqvHLc1QHt5T3gsl8_Ps30zWCfIPrhhsoHPyQ>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id B0E4C9E24F; Mon, 7 Aug 2017 01:21:27 -0400 (EDT)
Message-Id: <1502083287.2191248.1065195288.7CDC7FF3@webmail.messagingengine.com>
From: Bron Gondwana <brong@fastmailteam.com>
To: dmarc@ietf.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary="_----------=_150208328721912480"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-7b2cde4a
Date: Mon, 07 Aug 2017 15:21:27 +1000
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/4Gu1EErK4iuo9pQnZ-uJ2tKpMDQ>
Subject: [dmarc-ietf] ARC-Seal is meaningless security theatre
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Aug 2017 05:21:32 -0000
I thought long and hard about using a less inflammatory title, but I figure maybe going in hard is the right way here, because I'd rather fix this before it becomes a standard! (and thanks Dave for your thoughtful questions during the Prague DMARC session which prompted some of my thinking) Unfortunately I didn't get a full chance to think about ARC and how it all functions before Prague, and then I hadn't fully internalised it by the DMARC session - I was still refactoring the code I wrote on the weekend and testing it some more, as well as getting the signing side done. It took a few days to fully understand how all those signatures work together. I had let others focus on ARC within our company rather than looking at it myself until now. So my apologies for coming along late with this manifesto! I've been trying to think of a more polite and diplomatic way to say it, but so far I haven't see anything to convince me that ARC-Seal is anything other than snake oil. It's excessive crypto for no benefit, and with the way I've had it described to me and the way it's being used right now at least at Google (sealing every message on the way in), it adds confusion rather than clarity to message provenance. Let me explain. Starting with purpose. ARC conflates two purposes: a) providing a new signature when you change a message in ways that break its existing signature. b) providing a signature where there is none, but SPF passed and you would have trusted the source email anyway. Apparently "just DKIM sign everything" isn't viable due to key management problems and "sending on behalf of". I'm willing to stipulate that, because we have to work with the reality of deployed systems with any new standard if it wants traction. There is a third purpose that needs signatures: c) new email received from trusted/internal host with no signature yet This is generally handled by DKIM-signing the message before sending it outside an organisation's trusted infrastructure. FastMail for example DKIM signs our outbound email during the final scan before adding to the outbound queues. Internally it travels around with an internal-only header that identifies the sending user to allow us to choose which DKIM signatures to apply, then we sign on final injection into the outbound queue. I suspect other organisations do the same, and this is what DKIM was designed for. My understanding of ARC is that is not supposed to replace DKIM for this case. Anyway, we are conflating: 1) I need to sign this email which I didn't modify because the next hop wouldn't be able to verify that it was sent from an authorised source any more; with 2) I'm modifying this message and I am asserting that I believed it was from an authorised source and correctly signed before I modified it Right now AAR and AMS are exactly the same for those two cases. The problem is - advice on "when should I ARC-Seal" is really woolly, leading to a third case being conflated in here: 3) I'm not modifying this message or breaking its signature, I'm just adding my own signature as it passes through Case three is the real problem. By adding an AAR, AMS and AS in that case, you're adding crypto which is misleading. I will make my case below :) I use the following parties: d=gmail.com - a sender and eventual receiver. I could sub fastmail.com here just as easily, but "everyone" knows gmail, and they currently ARC- Seal all incoming email. d=mailinglist.com - a mailing list which modifies all email, and hence needs to apply ARC to every message for case (2) above. d=forwarder.com - a site that just forwards email without changing the message at all - something like pobox.com, our alias service. d=sketchy.com - another forwarder who isn't well known or trusted. Trust isn't transitive, gmail trusts mailinglist.com to validate signatures and to only apply clean transformations (change sender, add a footer) to any email it receives, but it doesn't trust sketchy.com at all. mailinglist.com on the other hand isn't sure about sketchy.com, but has no reason to consider it less trustworthy than other forwarders because it doesn't have a giant machine learning database to handle site reputation. Now let's consider the following message history. The mail is going to follow this path: gmail.com => sketchy.com => mailinglist.com => forwarder.com => gmail.com This seems somewhat contrived, but maybe sketchy.com is some university system where a club has set up an alias that goes to their mailing list, and one of the members is an alumnus using a separate university alumni system which forwards to their gmail account. That's not a totally unreasonable mail flow. Here's a message where sketchy.com just forwards the message, with no changes made: original message: DKIM-Signature: d=gmail.com (VALID) From: <foo@gmail.com> To: <list-name@sketchy.com> first hop: AS: i=1, d=sketchy.com, cv=none (VALID) AMS: i=1, d=sketchy.com (VALID) AAR: i=1, dkim=pass, spf=pass, arc=none DKIM-Signature: d=gmail.com (VALID) From: <foo@gmail.com> To: <list-name@sketchy.com> ENV-To: <name@mailinglist.com> second hop: AS: i=2, d=mailinglist.com, cv=pass (VALID) AMS: i=2, d=mailinglist.com (VALID) AAR: i=2, dkim=pass, spf=fail, arc=pass AS: i=1, d=sketchy.com, cv=none (VALID) AMS: i=1, d=sketchy.com (INVALID) AAR: i=1, dkim=pass, spf=pass DKIM-Signature: d=gmail.com (INVALID) From: <name@mailinglist.com> To: <alias@forwarder.com> We see that both DKIM and i=1 AMS are now invalid, only the AS chain continues to validate. The DKIM still passed on arrival to mailinglist.com, because sketchy.com didn't actually modify the message, but won't pass again after this. third hop: AS: i=3, d=forwarder.com, cv=pass (VALID) AMS: i=3, d=forwarder.com (VALID) AAR: i=3, dkim=fail, spf=fail, arc=pass AS: i=2, d=mailinglist.com, cv=pass (VALID) AMS: i=2, d=mailinglist.com (VALID) AAR: i=2, dkim=pass, spf=fail, arc=pass AS: i=1, d=sketchy.com, cv=none (VALID) AMS: i=1, d=sketchy.com (INVALID) AAR: i=1, dkim=pass, spf=pass DKIM-Signature: d=gmail.com (INVALID) From: <name@mailinglist.com> To: <alias@forwarder.com> ENV-To: <bar@gmail.com> and finally gmail seal it on the way in: AS: i=4, d=gmail.com, cv=pass (VALID) AMS: i=4, d=gmail.com (VALID) AAR: i=4, dkim=fail, spf=fail, arc=pass AS: i=3, d=forwarder.com, cv=pass (VALID) AMS: i=3, d=forwarder.com (VALID) AAR: i=3, dkim=fail, spf=fail, arc=pass AS: i=2, d=mailinglist.com, cv=pass (VALID) AMS: i=2, d=mailinglist.com (VALID) AAR: i=2, dkim=pass, spf=fail, arc=pass AS: i=1, d=sketchy.com, cv=none (VALID) AMS: i=1, d=sketchy.com (INVALID) AAR: i=1, dkim=pass, spf=pass DKIM-Signature: d=gmail.com (INVALID) From: <name@mailinglist.com> To: <alias@forwarder.com> ENV-To: <bar@gmail.com> In here we have two things that are interesting: 1) the oldest AMS that still validates. Nothing was changed since then.2) the AAR with the same i= value (i=2) which shows that DKIM still passed then. So we can tell from these headers that the only place which modified the message was mailinglist.com. So far so good. Absent ANY value at all are the ARC headers with i=1, i=3 or i=4. They add no value. Likewise the ARC-Seal at i=2 only adds value because it signs the AAR at i=2. This is literally the only proof we have at this point that sketchy.com didn't completely rewrite the message. This same value could be obtained by having sketchy.com and forwarder.com and gmail's inbound do no ARC processing at all other than validating the AMS of mailinglist.com rather than the DKIM signature at forwarder.com and gmail.com inbound. The only way to know that sketchy.com didn't modify the message is because mailinglist.com's AAR said that dkim still passed at that time. But mailinglist.com could easily lie about that if it wanted to, the chain would still be unbroken. Further, ARC-Seal doesn't capture the really interesting bits - which are "what was the envelope at this point" or even "what was the date at this point" - meaning you can re-purpose old ARC-Seals for as long as you like if the selectors still exist, and they will continue to validate. OK, this has become pretty long and rambly, but here's the thing: *AS adds nothing over just having AMS signing its own AAR, and then you only have to verify ONE signature, the most recent.* Any site which lies about AAR and also modifies the message can just as easily file the serial numbers off an existing ARC chain, pretend it received the message from a point in that chain, and then mint a convincing AAR, a valid AMS and a valid AS which chains with the existing set of seals. The seals don't include any previous facts about the message other than the hashes in the lower i= AMS headers, and a single modification to message content will render them invalid. Short of a global registry of all known email mesages (in which case ARC is pointless), you can't tell if those ARC headers were lifted off another message and reused. You either trust the most recent signer and trust that THEY validated the previous signer/SPF (and so on) or the chain is broken anyway, so why add a parallel, easily falsified, chain of signatures? So since ARC-Seal doesn't add any value, and adds complexity and cost (in extra DNS lookups and crypto) and failure points (in potential DNS tempfails which break the chain even though the underlying crypto is sound and could be verified later) - it's a waste and, as I stated in the subject, snakeoil with no benefit. What is valuable is AMS and AAR, and along with that - advice to not add your own AMS unless you really have to. If you aren't breaking the existing signature, don't add your own, because it confuses provenance on the message. ARC would be a better standard if it removed AS entirely, and had AMS sign its own AAR (e.g. by adding another tag to the AMS header which is the hash of the associated AAR) A more cheap and nasty fix, assuming it's too late/complex to change the protocol more, would be to keep AS, but change the validation to only require checking the most recent AS, since validating the rest is meaningless. Cheers, Bron. -- Bron Gondwana, CEO, FastMail Pty Ltd brong@fastmailteam.com
- [dmarc-ietf] ARC-Seal is meaningless security the… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Tim Draegen
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… John Levine
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Scott Kitterman
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… MH Michael Hammer (5304)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… mhammer@americangreetings.com
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos