Re: [secdir] [taugh.com-standards] Re:Security review of draft-levine-herkula-oneclick-05
"John R. Levine" <johnl@iecc.com> Sun, 18 September 2016 18:02 UTC
Return-Path: <johnl@iecc.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B045212B05D for <secdir@ietfa.amsl.com>; Sun, 18 Sep 2016 11:02:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DNi9LOljvZQ1 for <secdir@ietfa.amsl.com>; Sun, 18 Sep 2016 11:02:19 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EF1B12B020 for <secdir@ietf.org>; Sun, 18 Sep 2016 11:02:19 -0700 (PDT)
Received: (qmail 22390 invoked from network); 18 Sep 2016 17:55:35 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=5775.57ded517.k1609; bh=+pF9LZ3tg+pYXlliEdISLZAKJWhczxKo6/zo1za7+B0=; b=XjBXTsSezwTRs97+ffb4+7/bFMKInyOx+y/jjCcz4v3KMbOxemCmkkxf7aCVM1r/ORDty7Ey+p+KlNxqaPQfSMep505bLeXmO11UwrnmseR1nVAgCb8wihT4Dsa+inkK+XMtugCB7REtKuhhH40CSGdpy5z+ifhtiT1zYAwmvP9tN73B9KoYiFfIqw20X/F9WTdagAUDlqpHmxbRRKxqTmtEd3GGD33RouYTBBkaBajhhxOSy3GwR55TSIEP4RUB
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.0/X.509/SHA1) via TCP6; 18 Sep 2016 17:55:35 -0000
Date: Sun, 18 Sep 2016 13:55:36 -0400
Message-ID: <alpine.OSX.2.11.1609181337320.4957@ary.lan>
From: "John R. Levine" <johnl@iecc.com>
To: Ben Laurie <benl@google.com>
In-Reply-To: <CABrd9SQNM2e3AJwLSgzXV54MzKRf0MZ9_E+GPaT2oCzFwajdpQ@mail.gmail.com>
References: <CABrd9SQt9K+78WOm9aO_fObrvThKCVKyXAVF6WVmm=bN8c9bvw@mail.gmail.com> <alpine.OSX.2.11.1609181216340.4398@ary.lan> <CABrd9SSFCb7XdVFmLW6-OAtoo_7d-=Uivq0ax2v6iJKx=TusUg@mail.gmail.com> <alpine.OSX.2.11.1609181306500.4660@ary.lan> <CABrd9SQNM2e3AJwLSgzXV54MzKRf0MZ9_E+GPaT2oCzFwajdpQ@mail.gmail.com>
User-Agent: Alpine 2.11 (OSX 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/0xDFaSMQrOA1NBEA3wFukWt3EKk>
Cc: draft-levine-herkula-oneclick.all@ietf.org, Paul Kincaid-Smith <paulkincaidsmith@gmail.com>, The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] [taugh.com-standards] Re:Security review of draft-levine-herkula-oneclick-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Sep 2016 18:02:21 -0000
>> It's only a goal here because they have other ways to do it if it's not >> one-click. > > Ok, then in that case it seems like you only need to secure the POST > arguments, not the URI. There's several scenarios that this draft is addressing: A) bad guy sends fake mail with real insecure opt-out link, MUA clicks it indirectly when user hits the junk button B) real message with real link is clicked by helpful anti-spam software, not the user The hash stuff is for A, the POST is for B. Since the POST gets both the URI and the arguments, the hash can be in whichever is operationally easier. All the places that have rules about commercial junk mail say that if the recipient tells you to stop, you have to stop and "the link was in a fake message" isn't a defense. It's quite common now for the unsubscribe URI to be totally opaque, e.g., with a hash and a key the mailer looks up in a database to find the recipient's address, so that malicious parties can't guess other subscribers' addresses. If they add POST arguments for one-click, they'll likely keep the existing opaque URI, and with the secure URI, the POST arguments tell it nothing beyond the fact that this is a one-click transaction. In the two decades since 2369 came out, the URI stuff has become common knowledge among the narrow group of people for whom "deliverability" is an adjective. I really don't want to open up 2369 with this draft, because I don't think the small amount this draft says would be helpful. It doesn't change the way people use 2369, it only adds a new way to do list-unsubscribe. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly
- [secdir] Security review of draft-levine-herkula-… Ben Laurie
- Re: [secdir] [taugh.com-standards] Security revie… John R. Levine
- Re: [secdir] [taugh.com-standards] Security revie… Ben Laurie
- Re: [secdir] [taugh.com-standards] Security revie… Ben Laurie
- Re: [secdir] [taugh.com-standards] Security revie… John R. Levine
- Re: [secdir] [taugh.com-standards] Re:Security re… John R. Levine
- Re: [secdir] [taugh.com-standards] Re:Security re… John R. Levine
- Re: [secdir] [taugh.com-standards] Re:Security re… Ben Laurie