IETF Logo Mail Archive

Re: [dmarc-ietf] ARC-Seal is meaningless security theatre

Seth Blank <seth@sethblank.com> Tue, 15 August 2017 00:47 UTC

Return-Path: <seth@sethblank.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0369B132477 for <dmarc@ietfa.amsl.com>; Mon, 14 Aug 2017 17:47:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sethblank-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0hhdgPMujdcm for <dmarc@ietfa.amsl.com>; Mon, 14 Aug 2017 17:47:09 -0700 (PDT)
Received: from mail-ua0-x22c.google.com (mail-ua0-x22c.google.com [IPv6:2607:f8b0:400c:c08::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2BA0132476 for <dmarc@ietf.org>; Mon, 14 Aug 2017 17:47:08 -0700 (PDT)
Received: by mail-ua0-x22c.google.com with SMTP id 80so42836745uas.0 for <dmarc@ietf.org>; Mon, 14 Aug 2017 17:47:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sethblank-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=AcpWTMIRHo7fx+RvWyXzr2mHgtSKFoqFH/PYhNrU3KA=; b=mxmX1SL18ySUI38YiCAn3gk6pgsQgGO8HHJ/y7JTS7LvfuFAKQgk4a6sXnAOmrDi5V kSsSK1Sn8I2N+yUoB3REItz99PZ+hP8dzdEurbKNp/EijL7ChtOiScseWtV4sS/2cXuK fAzcIXlJD/Nn8npZyC+kX0pS425WiShdJKti2LTcj+KFHcRgyaO4aHoioFr67Nvzpdi3 S4r2ZvDUNaIZVANYNejpBBncU6c+VwvAsAhKjFM5N8WUvJjUvv9fZEWvYAjMz+wAKoLK b6H+fHr6kMkLi777Zs6NfByhn16Gyhn8L3IYo6ZLj/MlNWffVu4XFkN53mYZZ5wRIpI0 PV/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=AcpWTMIRHo7fx+RvWyXzr2mHgtSKFoqFH/PYhNrU3KA=; b=BZuAwlK37QGzeeaz+HzCAfycksk9+520nL3KUCItQWggT/83JKBJTIL97O3JbWUPCy GueP/Vm+6mXceK3UuyVKEXFZeYKiBV5tcHkiRrSDwZmH0x1SNZP1xhhIqIaPprEZA/7K U+urkWUMV/A2xUw/IKiAp6M6rqGrxwbkxB/9x8MD20AlnHYDNfgtt2a+J2BVLWXEhzG/ GRbNO+A3wFsWYjyilr9lbGXUzxA4v+OIQgLyV4eYRAOywvq1ll3orQYVcrlpFegdHzr5 2UvrSWRJBSSoQ0SSFjiKEBD6Pg7bayj4LLa4jXPg8HsJtTK0uy9KIjgk2x6UYgo5IL9Z R3uA==
X-Gm-Message-State: AHYfb5jxFGEWm5nmuxyjR7FlLsVhJtV64u3Y96O7oJ3Yq+vpq3FGMSH9 wP/Q+EN1+6KFBaYbXunWrcxFH/uePoQNtto=
X-Received: by 10.176.87.138 with SMTP id x10mr18343479uaa.57.1502758027518; Mon, 14 Aug 2017 17:47:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.151.25 with HTTP; Mon, 14 Aug 2017 17:46:46 -0700 (PDT)
In-Reply-To: <1502755921.1067004.1073467336.14612B87@webmail.messagingengine.com>
References: <1502083287.2191248.1065195288.7CDC7FF3@webmail.messagingengine.com> <CABuGu1oTMbuLd4yTwecu5sKFnsmH+HiwT1FG=JpySYHzpMTx_w@mail.gmail.com> <1502200759.3946686.1066841264.607B4D0B@webmail.messagingengine.com> <2720431.u3G7bbkkxK@kitterma-e6430> <1502317564.1935379.1068588344.040173AF@webmail.messagingengine.com> <a08c7590-ded3-1642-4ffc-07848b3c6cd2@gmail.com> <e14f2130-6f00-4ef1-485b-850a4cc1c48c@gmail.com> <1502495646.4099176.1070896040.2B09B1F8@webmail.messagingengine.com> <CABa8R6uV=4Cc47zHtZtA-0WFVhuEYPAr3NTswzvF4H21tjfWTw@mail.gmail.com> <1502755921.1067004.1073467336.14612B87@webmail.messagingengine.com>
From: Seth Blank <seth@sethblank.com>
Date: Mon, 14 Aug 2017 17:46:46 -0700
Message-ID: <CAD2i3WMt+FL7J21diBBD_Qw88iGu5-PUhJcp3cGpFdF9qYhTew@mail.gmail.com>
To: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="f403045dd08e6a51a00556c01ebc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/jqFPwOFo-nDZm72mX5FnKs34TFE>
Subject: Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Aug 2017 00:47:12 -0000

On Mon, Aug 14, 2017 at 5:12 PM, Bron Gondwana <brong@fastmailteam.com>
wrote:
>
> If there is a non-participating intermediary, either the message wasn't
> modified (so the next hop passes arc) or it was (and the next hop fails the
> whole chain).
>
> If you are participating, the fact that you didn't modify the message is
> lost when the message is modified down the chain.
>
> This is a clearly worse scenario for participation, due to the lack of
> information that is passed forward in the chain.
>
> We would need to include more information in the chain in order to
> overcome this, some information from hop N about which previous hop was the
> last modifying hop.
>
>
> That seems like it would be enough to fix that objection.  An additional
> "first AMS failure" header at each hop would give you a list of who
> actually modified the message.
>

This makes sense, and should be a simple addition to 5.1.1 regarding
what/how to stamp. I'll noodle over this and suggest language.


>
> Theoretically, the second modifying hop could include information from the
> preceding AAR in it's AAR, and maybe that transitive trust (I trust hop 2,
> which trusts hop 1, so I have to trust hop 1) is ok, because by trusting
> hop 2, they could have completely replaced the message.  This wasn't done
> with XOAR.
>
>
> Right.  That's the bit that we do absolutely need, regardless of
> everything else.  Every link in the chain has to be trustworthy or they can
> just repurpose an existing chain valid chain.  If you didn't have that with
> XOAR I can see how an intermediate could have falsified the chain of
> custody under XOAR without being implicated for reputation purposes.  We
> definitely need to be able to know who the injection point for bad content!
>

Do we, though? ARC has NOT ever been about localizing or understanding
changes to a message, it has been about understanding *actors* who may have
modified the message.

For instance, if we have two ARC-participating hops, and it was a
non-participating hop between them who modified the message, we could
localize the breakage to being at or between the two hops, but could not
with certainty ascribe it to either hop, which is why ARC has avoided this.


> There would be no point in including multiple AMS/AAR headers, why bother
> keeping the non-verifiable ones.  Or maybe, you just get rid of the AMS and
> keep the AAR and have your AMS sign over all of the existing AAR records.
>
>
> Yes, that makes sense - So long as each AAR includes the signing domain
> that it checked against for its arc=pass, then no information is lost.
>

So much of ARC keeps trace information that might be useful to someone at
some point, it feels very weird to throw some headers out and keep others.
I argue we keep them all, and (to the discussion around Experimental
status) see what ends up being useful after this is in the wild for a bit.
This data can always be tossed later if it serves no real world purpose.



> I just had a really good chat with Seth on Skype half an hour ago about
> this.  He was unable to find a case where having a full AS,AMS,AAR adds any
> provable value over just checking the most-recent AMS and having AAR
> signed.  I do like your proposal of signing ALL the existing AARs, because
> they're the thing of value.  Old AMS have no value, and old AS have no
> value either so long as you have a cv=pass on the current AS.
>

That's not quite what I said ;-)

If you throw old AMSs out, you cannot validate current ASs or walk the
chain back.


> So if we had this:
>
> AMS: i=4, h=[...]:arc-authentication-results:arc-authentication-
> results:arc-authentication-results:arc-authentication-results:[...]
> AAR: i=4, arc=pass, dkim=fail, spf=fail
> AAR: i=3, arc=pass, dkim=fail, spf=fail
> AAR: i=2, arc=pass, dkim=pass, spf=fail
> AAR: i=1, dkim=pass, spf=pass
>
> That would give you everything.  The one downside is that every ARC layer
> added another item to the h= header in the AMS.  One nice thing about AS is
> that you don't need the h=, because it's implied.
>

All these items already get added to the h=.


>
> But overall I'd say removing the other AMS headers and all the AS headers
> still leads to a smaller payload than adding one
> h=arc-authentication-results for each hop.
>

We can't remove old AMS and AS headers for the reasons listed above
(mainly, a) we're saving trace information to see what's beneficial
downstream, and b) you can't validate the latest AS or walk the chain back
if you throw out old headers).


> Unless I'm missing something, this design is just as robust as the
> existing AS,AMS,AAR for tracking chain of custody back to the first
> untrusted site, and neither design is any good for knowing things for
> certain about the changes made before the first untrusted site.
>
> Of course - this design doesn't tell you which of the steps modified the
> message any more (my first point above).  I do like the idea of tagging the
> message with data about which hops modified it... which is an argument for
> not stripping AMS while is still validates.  You would wind up with
> something like:
>
> AMS: i=4, h=[...]:arc-authentication-results:arc-authentication-
> results:arc-authentication-results:arc-authentication-results:[...]
> AAR: i=4, arc3=pass, arc2=pass, dkim=fail, spf=fail
> AMS: i=3 h=[...]:arc-authentication-results:arc-authentication-
> results:arc-authentication-results:[...]
> AAR: i=3, arc2=pass, dkim=fail, spf=fail
> AMS: i=2 h=[...]:arc-authentication-results:arc-authentication-
> results:[...]
> AAR: i=2, arc1=pass, dkim=pass, spf=fail
> AAR: i=1, dkim=pass, spf=pass
>
> Which tells you that i=3 and i=4 didn't modify the message, because arc2
> passed when i=4 validated it (proving that i=3 didn't modify it), and the
> AMS for i=2, i=3 and i=4 all pass now.
>
> If the next hop was to modify the message it would add:
>
> AAR: i=5, arc4=pass, arc3=pass, arc2=pass, dkim=fail, spf=fail
>
> then strip all the existing AMS and add its own:
>
> AMS: i=5, h=[...]:arc-authentication-results:arc-authentication-
> results:arc-authentication-results:arc-authentication-
> results:arc-authentication-results:[...]
>
> Which signed that it verified hops 3 and 4 as non-modifiers.
>

I'll suggest language for stamping "first AMS failure", but we shouldn't
strip old AMS/AS headers.

Seth


>
> Regards,
>
> Bron.
>
>
> --
>   Bron Gondwana, CEO, FastMail Pty Ltd
>   brong@fastmailteam.com
>
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>
>

v2.23.0 | Report a Bug | By Email