IETF Logo Mail Archive

Re: [dmarc-ietf] ARC-Seal is meaningless security theatre

Bron Gondwana <brong@fastmailteam.com> Fri, 11 August 2017 23:54 UTC

Return-Path: <brong@fastmailteam.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBFC6132350 for <dmarc@ietfa.amsl.com>; Fri, 11 Aug 2017 16:54:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmailteam.com header.b=KzLBn7GW; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=VzF9yK/Q
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jTMq8A3qHPOz for <dmarc@ietfa.amsl.com>; Fri, 11 Aug 2017 16:54:07 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DEB6132335 for <dmarc@ietf.org>; Fri, 11 Aug 2017 16:54:07 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id F056620C01 for <dmarc@ietf.org>; Fri, 11 Aug 2017 19:54:06 -0400 (EDT)
Received: from web4 ([10.202.2.214]) by compute6.internal (MEProxy); Fri, 11 Aug 2017 19:54:06 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= fastmailteam.com; h=content-transfer-encoding:content-type:date :from:in-reply-to:message-id:mime-version:references:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=QseEUcgjP9SwUAfIO rKEp+JAirvv4+PfLSjjLR+HJk4=; b=KzLBn7GWCiyQ45UOUhgL9XJxfhYI9Uzp3 OOleTFxB/BhXm6YDHm4FHfhzQfjN12CwiOvVG1TyekCUOpdDfxOSjyBXzsv6p6+0 r+qgPXGCgUAFz25FHu5JmBwQ7rrczopjWeERY1y0iZjHE94H7tqF3OmyC7HYAmNY t6mKUG/SkTI4PjpORNJ7nJ7qGW5Xgc1E5+XHrHnMf2R6jFM9lECmMmxS1bOte26R fd3n2AogJdPRousuAnl5gDpWKI6TGihLHsX+A4auyEpL8zm9yygAnN+s1L1Qn1G0 BApr2GOjxP4IPKlZz6qfh38gDs56UdXU5xjvl0dk4zs0KSLH7LfxA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=QseEUc gjP9SwUAfIOrKEp+JAirvv4+PfLSjjLR+HJk4=; b=VzF9yK/QVGDwAY/YzX3qwe xWUFUdGpkWTSQOKBb9nfxsNO49Xazpak2GE3VGSDcz+5WOLdIVtAQPFJCZXWjPeb yYyr5Te55MJS9MH8HNGY8LJkHrQ1B90+aZ2FNeuZ4tJ6dDaslxqNhvIN2Bn/IhVm 0mp5PFF/4/lelDgFX6Hfmf/m6a2wBjwvPJLIZpApZWIMVPR8LdqOLXR4LYwDYaP9 xvpRiLuTTyEK0a1jCoydAkosRGqVGiB0JlDS2WPrw5tqCCaD+y+JNqYjwSPKGLFk pttq1bWGLJj7DncAv7F/Ial+apF0mbm4H0zeuNCB69QCojAtBkRHnVIMzcupST2g ==
X-ME-Sender: <xms:nkOOWfWlc7Dwp9CeFXJ9xVJ6n30t7bOtwBRv56VlNmprjGS2iDhOiA>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id B5D60BAB71; Fri, 11 Aug 2017 19:54:06 -0400 (EDT)
Message-Id: <1502495646.4099176.1070896040.2B09B1F8@webmail.messagingengine.com>
From: Bron Gondwana <brong@fastmailteam.com>
To: dmarc@ietf.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_150249564640991763"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-33d44821
References: <1502083287.2191248.1065195288.7CDC7FF3@webmail.messagingengine.com> <CABuGu1oTMbuLd4yTwecu5sKFnsmH+HiwT1FG=JpySYHzpMTx_w@mail.gmail.com> <1502200759.3946686.1066841264.607B4D0B@webmail.messagingengine.com> <2720431.u3G7bbkkxK@kitterma-e6430> <1502317564.1935379.1068588344.040173AF@webmail.messagingengine.com> <a08c7590-ded3-1642-4ffc-07848b3c6cd2@gmail.com> <e14f2130-6f00-4ef1-485b-850a4cc1c48c@gmail.com>
Date: Sat, 12 Aug 2017 09:54:06 +1000
In-Reply-To: <e14f2130-6f00-4ef1-485b-850a4cc1c48c@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/wMiY7L25oVnksOwJxuJJf1fz0vs>
Subject: Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Aug 2017 23:54:12 -0000

On Sat, 12 Aug 2017, at 03:22, Dave Crocker wrote:

I'm just picking out the key quote here:

> On 8/7/2017 4:22 PM, Seth Blank wrote:
>> When validating an ARC signed message, one verifies the latest AMS
>> (which must validate), and *the entire chain* of ARC Seals, not only>> the latest. This guarantees you a list of all message signatories -
>> the chain of custody we're talking about.

Yes, I follow this bit, but then...

>> When evaluating the chain for final receipt, there are two states to>> worry about as a matter of local policy: 1) you trust all the
>> signatories on the chain 2) there is an untrusted signatory on the
>> chain

Which is why it's a bad idea to sign if you're not modifying, because
then everybody has to trust you or their chain breaks, even though you
didn't do anything which required signing.
>> In state #1, you're done - if you trust the signatories then you
>> trust they're not playing games with the AMS and AAR contents or
>> manipulating the message in malicious ways. Now you can make a
>> delivery decision as local policy dictates.

Agree.

>> In state #2, you're also done - if you don't trust all the
>> signatories, then there are a multitude of routes for the message to>> be garbage, including but not limited to everything you've outlined
>> above.

Agree.

>> The critical thing about the ARC Seal is that it guarantees this
>> behavior in state #1 - if you trust all the d= values in the ARC
>> Seals, they all validate, and you have cv=pass, then you know for
>> certain everyone who has manipulated the message (and maybe some who>> handled but did not modify).

In state #1, you don't need a chain of ARC Seal.  You just need each
site to sign their own AAR and each AAR to include "arc=pass" for the
previous AMS.  You trust the sites, so you trust them to verify the ARC
status on ingress.
So ARC Seal isn't adding anything other than complexity.  I'm not saying
"ARC Seal doesn't work in case #1" - I'm saying "ARC Seal is security
theater in state #1".  It's overly complex and adding no value.
>> Without the ARC Seal this determination is not possible and there is>> no way to evaluate the ARC chain for delivery as a final receiver.

And this is the crux of our disagreement.  Seth thinks it's necessary to
do more than signing a statement that you believed the message was
authenticated when you got it, in a way that the next hop can verify
your signature over your own Authentication Results plus the content of
the message.  I disagree.
I'm proposing exactly the same stragety DKIM uses, just with series of
signed "chain of custody" statements rather than the DKIM signature
having to align with the sender domain.
What has no value is a chain of ARC-Seal that has to stretch right back
to the start, because all that is doing is signing its own crypto and
some headers that can be trivially transplanted from another message.
If this list allows messages with attachments, you'll see a copy of
"signedforgery.txt" which has me pretending to be Kurt with the complex
test message he gave me in Prague.  I've forged the Subject and Body,
and then Sealed it as brong.net.
brong@zula:~/src/mail-dkim$ perl arc.pl < signedforgery.txt
pass
ARC-Seal: v=7 pass
ARC-Message-Signature: v=7 pass
ARC-Seal: v=6 pass
ARC-Message-Signature: v=6 fail (message has been altered)
ARC-Seal: v=5 pass
ARC-Message-Signature: v=5 fail (message has been altered)
ARC-Seal: v=4 pass
ARC-Message-Signature: v=4 fail (message has been altered)
ARC-Seal: v=3 pass
ARC-Message-Signature: v=3 fail (message has been altered)
ARC-Seal: v=2 pass
ARC-Message-Signature: v=2 fail (message has been altered)
ARC-Seal: v=1 pass
ARC-Message-Signature: v=1 fail (message has been altered)

The fact that there is an intact chain of ARC-Seal is pointless here.
And as I have (hopefully successfully) argued above, if all the sites
are trusted and they each successfully cryptographically authenticate
the previous sender (or SPF at the first hop), you need is the AMS.  ARC-
Seal does nothing.
Bron.

--
  Bron Gondwana, CEO, FastMail Pty Ltd
  brong@fastmailteam.com

v2.23.0 | Report a Bug | By Email