Re: [secdir] [] Re:Security review of draft-levine-herkula-oneclick-05

Ben Laurie <> Mon, 19 September 2016 11:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5BA2512B32C for <>; Mon, 19 Sep 2016 04:06:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.316
X-Spam-Status: No, score=-4.316 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-2.316, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DOEwPtclv4bX for <>; Mon, 19 Sep 2016 04:06:37 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4002:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0E80D12B321 for <>; Mon, 19 Sep 2016 04:06:37 -0700 (PDT)
Received: by with SMTP id i66so81829262yba.0 for <>; Mon, 19 Sep 2016 04:06:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=dWaq9nu2g4K4vIMSHhnhXJGRBYclN1ZhwqYCAy1+6H4=; b=byCFWBXkySQ2kb4+BRilaYk9wWkuBh7FiSez3H/qAAHeR7OVDoJVqdU772CzcAhIoW ywcWtgNiBY3WnrMyZrS1YwRgI/+W9neQJV4Or8QnOh/aBdQLnlelivIO4OIHg7TPDI89 1f6CEPvXyfsq50PGgDEgaVrXLSW0MANSbFVSI82xpbO0+iI3uLzqMSzv208W6d0wc8Bb 2lcidJnr5btZAkKtAnZ7Mg0F/Cq9tB6HOEZrfwDoGwLAl7PD2QpG/4iNGVkYbUwasbdx mnUK/Hphs0ZNN9HMAbWOLX860sxJ+TizsyS+IbJSLGFddWSEKJA//yy6ntyoXS+9py0C 8e4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=dWaq9nu2g4K4vIMSHhnhXJGRBYclN1ZhwqYCAy1+6H4=; b=exBU0Xc9+SLjmhif6ZsYHrDGharMlicnghLQp6/WOQJfQ7ul4qPxm27ngAuoHW5zNT HOcOE4p5X9rWUuSKebUqvBxCyN5/5cdX8lYE++DLZ+wY2q0dyQtQSvYxPwgH8plT9NgS +CXgGESLG74NotH4pHO36W0NDisW5Nl8OJwuJR3ApxcZtU19yU6I64/D0EQL1bG3Wrgv zrTOklG+VXVxu0tgQygxHpRlute9rji0fOF473huXmwy3pUi+x80xGjmUG2pOJeU8v5S iZ+cM6wA+GXrZsLoj9kzfykZjABoz3GdcM0BPBYrKkISfz2vGGVwJnAtxPbiU6vU2Eol 4UKA==
X-Gm-Message-State: AE9vXwOekfhkKgMP+t3Z47P7uwOwRiIvpjJFjsvGj6G+/P1zDMBU3teOobrv2PcEZSNH7J78/wNdKcaKC3eOX5Cl
X-Received: by with SMTP id l204mr25134045ybc.124.1474283195910; Mon, 19 Sep 2016 04:06:35 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Mon, 19 Sep 2016 04:06:34 -0700 (PDT)
In-Reply-To: <alpine.OSX.2.11.1609181934050.6785@ary.lan>
References: <> <alpine.OSX.2.11.1609181216340.4398@ary.lan> <> <alpine.OSX.2.11.1609181306500.4660@ary.lan> <> <alpine.OSX.2.11.1609181337320.4957@ary.lan> <alpine.OSX.2.11.1609181934050.6785@ary.lan>
From: Ben Laurie <>
Date: Mon, 19 Sep 2016 12:06:34 +0100
Message-ID: <>
To: "John R. Levine" <>
Content-Type: multipart/alternative; boundary="001a114888503158b6053cda4eff"
Archived-At: <>
Cc: Paul Kincaid-Smith <>, The IESG <>, Tobias Herkula <>, "" <>
Subject: Re: [secdir] [] Re:Security review of draft-levine-herkula-oneclick-05
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 19 Sep 2016 11:06:39 -0000

On 19 September 2016 at 00:36, John R. Levine <> wrote:

> One other thought -- I think the most common thing that mailers do is to
> put the subscriber info into a database where each record includes a
> randomly generated key unrelated to anything else.  Then you put that key
> into the URI, no HMAC needed.


> R's,
> John
> It's only a goal here because they have other ways to do it if it's not
>>>> one-click.
>>> Ok, then in that case it seems like you only need to secure the POST
>>> arguments, not the URI.
>> There's several scenarios that this draft is addressing:
>> A) bad guy sends fake mail with real insecure opt-out link, MUA clicks it
>> indirectly when user hits the junk button
>> B) real message with real link is clicked by helpful anti-spam software,
>> not the user
>> The hash stuff is for A, the POST is for B.  Since the POST gets both the
>> URI and the arguments, the hash can be in whichever is operationally
>> easier.  All the places that have rules about commercial junk mail say that
>> if the recipient tells you to stop, you have to stop and "the link was in a
>> fake message" isn't a defense. It's quite common now for the unsubscribe
>> URI to be totally opaque, e.g., with a hash and a key the mailer looks up
>> in a database to find the recipient's address, so that malicious parties
>> can't guess other subscribers' addresses.  If they add POST arguments for
>> one-click, they'll likely keep the existing opaque URI, and with the secure
>> URI, the POST arguments tell it nothing beyond the fact that this is a
>> one-click transaction.
>> In the two decades since 2369 came out, the URI stuff has become common
>> knowledge among the narrow group of people for whom "deliverability" is an
>> adjective.  I really don't want to open up 2369 with this draft, because I
>> don't think the small amount this draft says would be helpful.  It doesn't
>> change the way people use 2369, it only adds a new way to do
>> list-unsubscribe.
> Regards,
> John Levine,, Primary Perpetrator of "The Internet for
> Dummies",
> Please consider the environment before reading this e-mail.