Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
Brandon Long <blong@fiction.net> Thu, 10 August 2017 00:42 UTC
Return-Path: <blong@fiction.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCEFC1324E2 for <dmarc@ietfa.amsl.com>; Wed, 9 Aug 2017 17:42:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.199
X-Spam-Level:
X-Spam-Status: No, score=-2.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fiction.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f_GgXqOlX2Pd for <dmarc@ietfa.amsl.com>; Wed, 9 Aug 2017 17:42:10 -0700 (PDT)
Received: from mail-oi0-x236.google.com (mail-oi0-x236.google.com [IPv6:2607:f8b0:4003:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAF17131CB2 for <dmarc@ietf.org>; Wed, 9 Aug 2017 17:42:10 -0700 (PDT)
Received: by mail-oi0-x236.google.com with SMTP id e124so77091227oig.2 for <dmarc@ietf.org>; Wed, 09 Aug 2017 17:42:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fiction.net; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=13KqUpzwyg35xHZ+nJsoFYAC63bZFUInamhUNUzAFwA=; b=IOhlC4EEt5gM2dubbRJQX3jMiHTx+Qde3aIGH/iWJHp1+xv6YktFSHCh6kxy5LRrjG CXksDZXZ7NQf46WYWz0qiVavJqxvMNANfiNKPLxwCN/k6RZJFoLDnIvHNZd7yc8GzBxG hn63YICnnI4khXvMnkbYUUXbCAPj4ST5mowsWb8N+JMuqOC9U0Guq1jbp45j2uX4J5bH oMAgCWPoRZqH0Z8rWXz2oVLfLgC7IC3VrjEG7I2Fzqulycll6SrMZJgj2yJwDV40BP8K qhHxK2vD2awR4X1EZgyl4lZU5C6vMdR6TTnyGMAmb51eUwnuq6lhdNjpm9C5oA5+UpGI AwIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=13KqUpzwyg35xHZ+nJsoFYAC63bZFUInamhUNUzAFwA=; b=ba6l5W5Bdrp65yHxt3fufnQzwasGhg06GCvFIkuvSU2t9EFpWXBhorwK1ehMbhcocB /vljXb9ZEa21qp0ev0t8heRS5Zz2NwcfAyPTdgCGXjEPuY2NQoKt86ALoL91GRiN9XKs wLf4NQXtIdSju/lyuR37caKXnx89mX1MkMaM73zSLHJ596wx6WMAiJ4hFm7BTv+W0WqA n3OYchHS3snQ5pVOAy8G2kK03rSrNCSDG6hCnfDn0oABF7dsKyMOjDC4i79/ypZIRZSK VSw+P8I1QBdtZiful+t1/qrnpb8p5Oi4DPnaj1ixQGEhfOuBB0Ikv+0DRfxAMKe+I6wj b1zw==
X-Gm-Message-State: AHYfb5h1cmpgc2BvH049NTqyFW3bIUr/Iy2MS3bCGvWNqg86gcAiSjm8 88pyHZhlYNbR0SQwnz0=
X-Received: by 10.202.213.216 with SMTP id m207mr12790429oig.17.1502325729998; Wed, 09 Aug 2017 17:42:09 -0700 (PDT)
Received: from mail-oi0-f51.google.com (mail-oi0-f51.google.com. [209.85.218.51]) by smtp.gmail.com with ESMTPSA id l191sm5002346oih.26.2017.08.09.17.42.09 for <dmarc@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 Aug 2017 17:42:09 -0700 (PDT)
Received: by mail-oi0-f51.google.com with SMTP id x3so76944946oia.1 for <dmarc@ietf.org>; Wed, 09 Aug 2017 17:42:09 -0700 (PDT)
X-Received: by 10.202.104.6 with SMTP id d6mr10262103oic.95.1502325728623; Wed, 09 Aug 2017 17:42:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.74.154.51 with HTTP; Wed, 9 Aug 2017 17:42:07 -0700 (PDT)
Received: by 10.74.154.51 with HTTP; Wed, 9 Aug 2017 17:42:07 -0700 (PDT)
In-Reply-To: <CABa8R6vKW0thNAmrbyKz9J8yG3GyiYd11Ued2yug7SjMmp2aqQ@mail.gmail.com>
References: <1502083287.2191248.1065195288.7CDC7FF3@webmail.messagingengine.com> <CABuGu1oTMbuLd4yTwecu5sKFnsmH+HiwT1FG=JpySYHzpMTx_w@mail.gmail.com> <1502200759.3946686.1066841264.607B4D0B@webmail.messagingengine.com> <2720431.u3G7bbkkxK@kitterma-e6430> <1502317564.1935379.1068588344.040173AF@webmail.messagingengine.com> <CABa8R6vKW0thNAmrbyKz9J8yG3GyiYd11Ued2yug7SjMmp2aqQ@mail.gmail.com>
From: Brandon Long <blong@fiction.net>
Date: Wed, 09 Aug 2017 17:42:07 -0700
X-Gmail-Original-Message-ID: <CABa8R6umw_EgDEEZtpXs5Wi4HYiVmZ3yyzUxqpXZSix6R5Xg9g@mail.gmail.com>
Message-ID: <CABa8R6umw_EgDEEZtpXs5Wi4HYiVmZ3yyzUxqpXZSix6R5Xg9g@mail.gmail.com>
To: Bron Gondwana <brong@fastmailteam.com>
Cc: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="001a1140f9c264fb4e05565b77d4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/e4tTgafBd2o0G8baKyVf49b1Ink>
Subject: Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Aug 2017 00:42:15 -0000
Sorry, posted from the wrong address, trying again. On Aug 9, 2017 8:41 PM, "Brandon Long" <blong@google.com> wrote: > We discussed this exact situation extensively during several M3AAWG > meetings, so I don't think we're missing something... but maybe. > > With AS I can trust the chain and use the older hops AAR. And whether to > use a given hops AAR is based on my trust level for that hop. > > As long as the AMS passes, you can ignore hops you don't trust and keep > walking. > > Once you reach a hop where the AMS doesn't verify, you can only walk back > to hops you trust, and untrusted hop ends your walk back. > > So, you can copy and entire chain on to whatever message you want, but > that only works if I trust you. If you do this a lot, we won't trust you > any more. > > This doesn't mean that some messages can't abuse the trust relationship > and make it through, and we specifically say that standard > spam/phishing/abuse analysis should still be done. > > With your proposed AAR signed by the AMS, I can only trust your AAR, and > whatever you choose to put in it, not anyone in front of you. > > With XOAR, we have experience with that type of single hop working system, > and it's not complete enough, we see too many complicated routing policies > which go through many hops, and the last hop data isn't always enough. We > work around it with from header rewrites and signing as the intermediary > domain, but then we need to make decisions on when to do so since dkim > means something different than ams does. > > Also, you wouldn't expect to see arc signed messages from this list until > it starts doing them itself, unless people are posting to it though another > intermediary or you receive it through a separate intermediary. > > Brandon > > On Aug 9, 2017 6:26 PM, "Bron Gondwana" <brong@fastmailteam.com> wrote: > >> On Wed, 9 Aug 2017, at 00:28, Scott Kitterman wrote: >> >> I think the "Once AMS doesn't validate anymore ..." argument is an >> suggestion that it's fragile, not that it's pointless. I have concerns >> myself about the robustness of this design, but I think that's best >> addressed through deployment and experimentation. >> >> >> It's not fragility, the older AMS is supposed to not validate any more, >> because it's a signature over a bunch of headers and the body - any change >> in those will break it. That's fine so long as the chain of custody exists. >> >> My problem is that ARC-Seal only actually shows the chain of custody back >> to the first bad actor. That's also fine, because any bad actor means the >> whole message is tainted and should be discarded. >> >> The thing is - ARC-Seal and verifying every Seal only gives more >> integrity than checking the previous AMS and signing your own AAR unless >> this is true: >> >> * There exists a site which correctly checks ARC-Seal and adds new >> ARC-Seals, but does not generate an accurate AAR. >> >> I do feel like nobody understands what the hell I'm trying to say here >> based on the responses I've seen so far, so maybe I do actually need to >> find an existing ARC-Sealed email and forge a change to it. Seth asked to >> have a phone chat about this, and I'm happy to have a phone chat with >> anybody if it will help explain my point. >> >> I'm not saying that the underlying concept of ARC are wrong - the idea of >> chain of custody is sound. >> >> The problem is that ARC-Seal makes claims it just doesn't deliver on - >> it's not adding value, and it is adding cost and fragility (the need to >> successfully do DNS fetches for every seal in the chain at every point, >> plus the cost of checking that crypto) - and yet any one site can still >> falsify all the earlier items in the chain. >> >> Sadly I only have a few message in my entire mailbox that have ARC-Seals >> on them. They're from a Mozilla Thunderbird list of all things, and they >> have some Google ARC headers on them. I'd prefer to impersonate someone >> from this list if I'm going to make a proof of concept to show what I mean, >> but nobody appears to be sending messages with ARC headers on them here! >> >> Bron. >> >> -- >> Bron Gondwana, CEO, FastMail Pty Ltd >> brong@fastmailteam.com >> >> >> >> _______________________________________________ >> dmarc mailing list >> dmarc@ietf.org >> https://www.ietf.org/mailman/listinfo/dmarc >> >>
- [dmarc-ietf] ARC-Seal is meaningless security the… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Tim Draegen
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… John Levine
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Scott Kitterman
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… MH Michael Hammer (5304)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… mhammer@americangreetings.com
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos