Re: [secdir] [] Re:Security review of draft-levine-herkula-oneclick-05

"John R. Levine" <> Sun, 18 September 2016 18:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B045212B05D for <>; Sun, 18 Sep 2016 11:02:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1536-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DNi9LOljvZQ1 for <>; Sun, 18 Sep 2016 11:02:19 -0700 (PDT)
Received: from ( [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7EF1B12B020 for <>; Sun, 18 Sep 2016 11:02:19 -0700 (PDT)
Received: (qmail 22390 invoked from network); 18 Sep 2016 17:55:35 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple;; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=5775.57ded517.k1609; bh=+pF9LZ3tg+pYXlliEdISLZAKJWhczxKo6/zo1za7+B0=; b=XjBXTsSezwTRs97+ffb4+7/bFMKInyOx+y/jjCcz4v3KMbOxemCmkkxf7aCVM1r/ORDty7Ey+p+KlNxqaPQfSMep505bLeXmO11UwrnmseR1nVAgCb8wihT4Dsa+inkK+XMtugCB7REtKuhhH40CSGdpy5z+ifhtiT1zYAwmvP9tN73B9KoYiFfIqw20X/F9WTdagAUDlqpHmxbRRKxqTmtEd3GGD33RouYTBBkaBajhhxOSy3GwR55TSIEP4RUB
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.0/X.509/SHA1) via TCP6; 18 Sep 2016 17:55:35 -0000
Date: Sun, 18 Sep 2016 13:55:36 -0400
Message-ID: <alpine.OSX.2.11.1609181337320.4957@ary.lan>
From: "John R. Levine" <>
To: Ben Laurie <>
In-Reply-To: <>
References: <> <alpine.OSX.2.11.1609181216340.4398@ary.lan> <> <alpine.OSX.2.11.1609181306500.4660@ary.lan> <>
User-Agent: Alpine 2.11 (OSX 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: <>
Cc:, Paul Kincaid-Smith <>, The IESG <>, "" <>
Subject: Re: [secdir] [] Re:Security review of draft-levine-herkula-oneclick-05
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 18 Sep 2016 18:02:21 -0000

>> It's only a goal here because they have other ways to do it if it's not
>> one-click.
> Ok, then in that case it seems like you only need to secure the POST
> arguments, not the URI.

There's several scenarios that this draft is addressing:

A) bad guy sends fake mail with real insecure opt-out link, MUA clicks it
indirectly when user hits the junk button

B) real message with real link is clicked by helpful anti-spam software, 
not the user

The hash stuff is for A, the POST is for B.  Since the POST gets both the 
URI and the arguments, the hash can be in whichever is operationally 
easier.  All the places that have rules about commercial junk mail say 
that if the recipient tells you to stop, you have to stop and "the link 
was in a fake message" isn't a defense. It's quite common now for the 
unsubscribe URI to be totally opaque, e.g., with a hash and a key the 
mailer looks up in a database to find the recipient's address, so that 
malicious parties can't guess other subscribers' addresses.  If they add 
POST arguments for one-click, they'll likely keep the existing opaque URI, 
and with the secure URI, the POST arguments tell it nothing beyond the 
fact that this is a one-click transaction.

In the two decades since 2369 came out, the URI stuff has become common 
knowledge among the narrow group of people for whom "deliverability" is an 
adjective.  I really don't want to open up 2369 with this draft, because I 
don't think the small amount this draft says would be helpful.  It doesn't 
change the way people use 2369, it only adds a new way to do 

John Levine,, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail.