Re: [EAI] RFC 5335

ned+ima@mrochek.com Wed, 20 April 2016 18:39 UTC

MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: TEXT/PLAIN; CHARSET="us-ascii"
From: ned+ima@mrochek.com
Message-id: <01PZ8G9K8DGM00005M@mauve.mrochek.com>
Date: Wed, 20 Apr 2016 11:18:32 -0700
In-reply-to: "Your message dated Wed, 20 Apr 2016 12:33:43 -0400" <AECA29E7C05D83CE9736F93A@JcK-HP8200.jck.com>
References: <782609480-681267200@mail.monicals.com> <AECA29E7C05D83CE9736F93A@JcK-HP8200.jck.com>
To: John C Klensin <john-ietf@jck.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/ima/j-tR0etCOmYGw5BHnBsVDw1E9BE>
Cc: Alan Ayres <adayres@monicals.com>, ima@ietf.org
Subject: Re: [EAI] RFC 5335
Precedence: list

FWIW, I dug up the actual report, which is available for download here:

http://windowsitpro.com/isheriff/office-365-security

The relevant part of the report appears to be this paragraph:

             Office 365 Emails Use Some Non-Traditional Headers

  Office 365 not following current RFC internet standards for email headers
  leaves your companies emails open to several vulnerabilities. RFC 5335 covers
  internationalized email headers, this standard allows the transmission of email
  headers using non ASCII characters. ASCII characters have been exonerated and
  exploited worldwide. RFC 5335 uses a new method including UTF-8, which is an
  encoded form of Unicode text. Also the message can only be delivered if
  authorized by an SMTP extension. By ignoring this standard, Office 365 is
  allowing anyone with the knowledge access to intercept, edit, and possibly
  resend emails with malicious content in the headers of the message.

IMO this makes little if any sense. As the text points out, you can't
get EAI messages without supporting the associated SMTP extension, which
AFAICT is not presently supported.

Of course nothing prevents someone from attempting to send a message containing
UTF-8 addresses without the extension. But this is just a specific case of
the more general problem of sending illegal garbage around - a problem
that's been present in email since its inception. In fact one way to view
EAI is that it makes a small subset of that garbage legal, which actually
creates a more complex security problem for the system.

In any case, mail systems have to defend against invalid inputs. It has always
been this way and likely always will be. Whether or not EAI is supported is 
largely orthogonal to this.

				Ned

P.S. No doubt it's mean of me, but I simply can't resist quoting another
part of this report. It says:

           Microsoft MIME Doesn't Follow RFC; More Open To Malware

  Microsoft MIME (Multipurpose Internet Mail Extension) is an application that
  allows for the transfer of different files through the internet. For a file
  transfer to happen successfully both the file servers and the browsers must
  have the same MIME versions applied. Microsoft MIME latest version follows the
  following RFC (Request For Comments) Internet Standards: RFC 2311, RFC 2312,
  RFC 2632, and RFC 2634. Version 3 of Microsoft MIME supports all versions of
  outlook and exchange after 2000 and 5.5. The following RFCbs have been left out
  and leave Microsoft MIME very vulnerable to certain malware: RFC 959 and RFC
  5797. Both of these RFCs deal with FTP (File Transfer Protocol) and without
  them, they leave Microsoft MIME vulnerable to several serious attacks which
  could lead to malware infestation. The following attacks have been confirmed in
  applications that do not follow RFC 959 and RFC 5797:

  <list of FTP vulnerabilities omitted>

I'm not going to comment further except to note that RFC 2311-2645 are all
S/MIME specifications.

Re: [EAI] RFC 5335 John C Klensin
[EAI] RFC 5335 Alan Ayres
Re: [EAI] RFC 5335 ned+ima
Re: [EAI] RFC 5335 Shawn Steele
Re: [EAI] RFC 5335 Randall Gellens
Re: [EAI] RFC 5335 Franck Martin