IETF Logo Mail Archive

Re: [dmarc-ietf] ARC-Seal is meaningless security theatre

Bron Gondwana <brong@fastmailteam.com> Sat, 19 August 2017 00:26 UTC

Return-Path: <brong@fastmailteam.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 365241323F9 for <dmarc@ietfa.amsl.com>; Fri, 18 Aug 2017 17:26:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.719
X-Spam-Level:
X-Spam-Status: No, score=-2.719 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmailteam.com header.b=TQx638bm; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=ZdTkArek
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZueH_5HbZbp4 for <dmarc@ietfa.amsl.com>; Fri, 18 Aug 2017 17:26:37 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00E011323AA for <dmarc@ietf.org>; Fri, 18 Aug 2017 17:26:36 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 4AA5D22120 for <dmarc@ietf.org>; Fri, 18 Aug 2017 20:26:36 -0400 (EDT)
Received: from web4 ([10.202.2.214]) by compute6.internal (MEProxy); Fri, 18 Aug 2017 20:26:36 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= fastmailteam.com; h=content-transfer-encoding:content-type:date :from:in-reply-to:message-id:mime-version:references:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=IXNXEmOTen5d84vYs J+rjNNPBQcJzLew2aVlzK9fRLk=; b=TQx638bmh3rLNRiyw2wq3w5V03R+JOFKa +44WiTN8fK8OxcZamcUdCrvfDg7NaHE5KhSSRwdf7t1bk5XTfP8ztXiIeKamSipy I8PU1OCrbjymyS4Vz5CHhpRcIIho/rAqwn639WhP+PKhL1WYIBwy7QpeS/7VkAta vwDj8XDHmsbiEhk7BpGF06HQ28gWzjRfwQLFt6X6xYET6y/LMTtI0gJJKT+FjyHZ hF5jfVPj0d/HKJR6cKuUf47YAP6uYk71GkBvu4pXkRq50Yr5mBSblTUd99O+uvdu wUOzw0TdmCUNmy8qWq4TffegGkzwAU813txMK50OZMoa97oBudOIA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=IXNXEm OTen5d84vYsJ+rjNNPBQcJzLew2aVlzK9fRLk=; b=ZdTkArekYsI7bE1FX53O8f RkMXf03sNjdiOXXGV1e72WZUugDg8kOc1M2CGrWaH68aReq6Ih5Wp22mMLx0wRjS EYvjbRuSHQLt8wUPkC4Ll+oDUxvNgx53w+dlzgGejYk35Yevnv9ZI4fFlAJaTevV n7blI+VELc9qN/GhbGXP2pzd7VFYfLE24cTG2j5As2uggOFlGfN8mlUJA6alKE+z yX8/LwhJhpZx/+c21o4oK0zJt+nF9zompaqOBop7stkQH2DiYEDJpoRPwKTGdd2+ BmkWqCgoFIcV9Kzh7tdeXRdI7HQ9g5TcoS6I5fl7CV7LnzAppCfo/dU/h2ryQNiQ ==
X-ME-Sender: <xms:vIWXWZoIBw47I9ggWLfc-iCYZ6Wr_usGtKskxzr-Dtzi2nb-T1h11Q>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id 0D3F1BAB71; Fri, 18 Aug 2017 20:26:36 -0400 (EDT)
Message-Id: <1503102395.2676097.1078114248.6DB98C8B@webmail.messagingengine.com>
From: Bron Gondwana <brong@fastmailteam.com>
To: dmarc@ietf.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_150310239526760975"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-21c69044
References: <1502083287.2191248.1065195288.7CDC7FF3@webmail.messagingengine.com> <2720431.u3G7bbkkxK@kitterma-e6430> <1502317564.1935379.1068588344.040173AF@webmail.messagingengine.com> <a08c7590-ded3-1642-4ffc-07848b3c6cd2@gmail.com> <e14f2130-6f00-4ef1-485b-850a4cc1c48c@gmail.com> <1502495646.4099176.1070896040.2B09B1F8@webmail.messagingengine.com> <166070f0-4ba1-70da-1f73-885b4a7f7640@gmail.com> <1502497178.4103451.1070917304.23DD466D@webmail.messagingengine.com> <598F9484.7020700@isdg.net> <CABuGu1p=oLfLRkuoaDHoz3Cv3_FrURdsFPzkac7jNzBpqBmiSg@mail.gmail.com> <599484FB.9050908@isdg.net> <1502929303.4038704.1075868960.5D80A788@webmail.messagingengine.com> <CAD2i3WN_bmDgmQBw3pnyu7vWJJM2Kzwgru87VhK=NA_H91B+og@mail.gmail.com> <1502930858.4042926.1075890568.5069945B@webmail.messagingengine.com> <CABuGu1ofdkP6Gdsfin6KfpiTJW39gXz8Fa0iAAmXfcvyWGZxdA@mail.gmail.com> <CAD2i3WPuiMw6Gbdw0E+Gh=yNDfNjECMrqLHKPUspq_h6dnpbnA@mail.gmail.com> <f62ca9fc-e73c-82e7-173c-5cdc3c761dd6@gmail.com> <CAL0qLwZRfEEZ=Vz4tWAYEn97H9uvMzSyYe2+-Ak762qpvDmm3g@mail.gmail.com>
Date: Sat, 19 Aug 2017 10:26:35 +1000
In-Reply-To: <CAL0qLwZRfEEZ=Vz4tWAYEn97H9uvMzSyYe2+-Ak762qpvDmm3g@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/vRcdBurh--xSVZkl--7v6BfAFuY>
Subject: Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Aug 2017 00:26:40 -0000

On Sat, 19 Aug 2017, at 04:10, Murray S. Kucherawy wrote:
> On Fri, Aug 18, 2017 at 10:08 AM, Dave Crocker
> <dcrocker@gmail.com> wrote:>> On 8/18/2017 10:00 AM, Seth Blank wrote:
>>>
>>> Right now, we've got deployed code that we know works and improves
>>> the landscape. Everything else is - rightly or wrongly - conjecture.>> 
>> 
>> Personal Point of order:
>> 
>>     Using an 'installed base' argument for a brand new specification
>>     that is still in development and has minuscule deployment is not
>>     appropriate, in spite of having a long and storied history of
>>     being used to resist a proposal.>> 
>>     What's supposed to happen with a proposal is an evaluation of its
>>     technical and functional merits.>> 
>> 
>>  The entire point behind bringing a nascent specification to the IETF
>>  is to get review and suggestions from a wider audience.> 
> While I would normally agree firmly with that position, my view in
> this case is softer given what I believe was consensus (I'm not the
> chair, so that's not my call officially) that we're going to go for
> Experimental status.> 
> I submit that our primary mission here per our charter is to come up
> with a mechanism that mitigates DMARC's damage to mailing lists.  The
> claim that ARC as designed over-engineers a solution seems secondary
> to me; the question we need to answer is "Can this mitigate the
> damage?"  With or without Bron's reduced design, that's the question
> before us.
Yes, this is the crux of the question. 

> The "snake oil" claim may be true but it's orthogonal to that core
> question, and moreover points to the way we describe what exactly ARC
> provides ("chain of custody" is clearly not appropriate given that we
> are no longer sure what that actually covers), independent of whether
> it tells us enough to solve the question at hand.> 
> Accordingly, I would suggest we continue to deploy and experiment with
> the specification as-is, because there are implementations now, until
> we've determined that ARC as currently defined does or does not
> address DMARC's mailing list issues.  I also suggest that an appendix
> be added acknowledging that the super-crypto of ARC-Seal may be
> superfluous, and at the conclusion of the experiment we can make a
> decision about removing it and moving more toward what Bron's
> suggesting.> 
> Of course, the danger of proceeding along that line is that we do
> establish a deployed base, however small, that will be difficult to
> change later.  I don't know the answer to that question immediately,
> and admittedly I'm only going to be on the periphery of cleaning up
> whatever mess results.
Well, let's have a look at the question - can ARC mitigate the damage?
It depends what p=reject means.
Right now Brandon can't email this list with his blong@google.com
address, because google.com publishes a p=reject record.  If the
list supported ARC, he could email this list and receivers which
supported ARC would accept the email from the list despite the
p=reject record.  Yay.
I could also take a message from the list, rewrite the subject and
content to be my own, sign it with my own key from my own domain, send
that to somebody as it if had come from Brandon, and assuming they
supported ARC, they would also accept that email, depite the p=reject
record.  Boo.
p=reject no longer stopped me sending a fraudulent email claiming to be
from Brandon with a "From:" of his official work address.
The receving site now needs to run heuristics including content analysis
and trust metrics on every hop in the ARC chain to determine whether to
accept the message.  That's fine, but we've basically mitigated DMARC
breakage of mailing lists by rolling back the meaning of DMARC p=reject.
Anyone can create an ARC seal on any email.  It doesn't even have to
have an original ARC seal on it.  Attached is an email which purports to
be from Brandon and has a valid ARC-Seal on it (assuming my code works
correctly - it adds the c= parameter now after Seth pointed out that
opendkim doesn't handle leaving it out).  Somebody from Google might be
able to tell which email I based this on (an email on Aug 9th to this
list and CCd to me which then got resent from a different address)
This will be accepted by an ARC-aware receiver unless I'm on a
blacklist, despite the p=reject.
Creating a new domain and putting a key in its DNS is pretty trivial -
so I guess the question is, what is ARC  doing other than rolling back
DMARC p=reject entirely?  We'd better think about that deeply, because
spammers/scammers sure will be.
Bron.

--
  Bron Gondwana, CEO, FastMail Pty Ltd
  brong@fastmailteam.com

v2.23.0 | Report a Bug | By Email