IETF Logo Mail Archive

Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-smtp-require-tls-07: (with DISCUSS and COMMENT)

Eric Rescorla <ekr@rtfm.com> Wed, 13 March 2019 00:02 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BDD2131167 for <uta@ietfa.amsl.com>; Tue, 12 Mar 2019 17:02:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KXes1oPpEdht for <uta@ietfa.amsl.com>; Tue, 12 Mar 2019 17:02:19 -0700 (PDT)
Received: from mail-lj1-x244.google.com (mail-lj1-x244.google.com [IPv6:2a00:1450:4864:20::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2CDB13116B for <uta@ietf.org>; Tue, 12 Mar 2019 17:02:16 -0700 (PDT)
Received: by mail-lj1-x244.google.com with SMTP id a17so3925789ljd.4 for <uta@ietf.org>; Tue, 12 Mar 2019 17:02:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=LUTkpwhaBruSEI4GAtyZlvaqHs95r/ddjDPOJm9CblI=; b=FnKkt/u3okNHDAinkjakLRiiJ7Og20VDE1jMFUCqRpBlZEqW6sPlL0ElqnwurUx8XR YgPdtMLplJWJa/S0DXYr+UkoFpVm1V1mqqW1IQ7Y/K/SgqLnA95J6ZcUO+6W2D72+xbk KRFdbIayzwh09tsUTiD54zlDL2nVqO4NWMzjt6Zq+aSIx3P1W2jHSlqwxx9hN18kmd/c s42qKr5Nqhte0GExXYL8Qd34SYrRk4UDVMYBo6KdjqAp6GOmcDdTKSpLQRyOU2zhAAdl KeuQnubTdYE5/oeuuKIlctYcb5MADX3Hpykyr8QeUv4+b9Q14WcW3B4nM1AU8k3pWToT 7PlQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=LUTkpwhaBruSEI4GAtyZlvaqHs95r/ddjDPOJm9CblI=; b=W9lCTqVP1QP1OOw5w1kY8Jxrokik5/uaKUmw9nhayHH0cF30XCm0gN8K6zPl1XWuam onFGi4Skt6IZuLHG8gvAYLDBlULTNmiT1axMdS/UxKMJxvljWTjVbvvGDvVHPdXoP1LT Zhxhipqq8SdGKG9awRihceem5Vr5WDzijy5EvX4afZxE3azBGRCd5VUjTwglIyl10BYI obDhjJimAhQ1vqyyMq3+pQjyHZvMneaCc45NsCAbwTgfglfdB9dBbFFgi8h5LP5rk4kX x3vt9LIYMsVgwk4X1O6SYh6JUw/z6/EGDIHrtT3Vzg/hpXR+rhXwIMbNouoh/KY6PTqd ZetA==
X-Gm-Message-State: APjAAAWPuc9QQnVif/kZ7qQJcA7aE/XlLzCPgDps8zL1mUWClHn9Blt8 OO4qMxa1Aq2sle4baPuiZr/qgtsyFQoe4D+QdKCPlDLl
X-Google-Smtp-Source: APXvYqyq07N2sl1jBcgkJ6SIhZUuACsvAZIsoH/aGoK7mRdL6ztfxEqt886L2tpui+BERE6p3N3dbQgpJjzLcwG4WWk=
X-Received: by 2002:a2e:5d59:: with SMTP id r86mr18572994ljb.158.1552435334285; Tue, 12 Mar 2019 17:02:14 -0700 (PDT)
MIME-Version: 1.0
References: <155076162945.8595.2671476533659571699.idtracker@ietfa.amsl.com> <554356ec-de3a-08ed-a920-0397813895e0@bluepopcorn.net> <CABcZeBPOWVhPTpBt3E8GsqH7LMtG4y04voqTCLS=PG3hZk+NaA@mail.gmail.com> <b79b4b8a-a2b9-8954-83fd-e2789b4cd3c3@bluepopcorn.net> <CABcZeBPG3HHPhwoSNJPJGgLbSSOmSWhw43U+T-tnrVTjgtzmiQ@mail.gmail.com> <20190228183553.GA916@straasha.imrryr.org>
In-Reply-To: <20190228183553.GA916@straasha.imrryr.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 12 Mar 2019 17:01:37 -0700
Message-ID: <CABcZeBPDLr9MizT3bhJzZWuZtk3S6gWtdkvPL1bOQdOXox4Zuw@mail.gmail.com>
To: uta@ietf.org, draft-ietf-uta-smtp-require-tls@ietf.org, IESG <iesg@ietf.org>, uta-chairs@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a323bd0583ee8493"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/Hg09cgJd0fXJGhdnRyCTTpgFQFk>
Subject: Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-smtp-require-tls-07: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2019 00:02:21 -0000

On Thu, Feb 28, 2019 at 10:36 AM Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

> On Thu, Feb 28, 2019 at 09:42:31AM -0800, Eric Rescorla wrote:
>
> > > The preferences we're talking about here (MTA-STS and DANE) are
> basically
> > > advertisements saying, "if you send mail to this domain, you should
> expect
> > > to use TLS when doing so."
> >
> > and "if you recognize this indicator, you should fail if the server
> doesn't
> > do TLS", right? Just like HSTS.
>
> Thanks for the clarification, I now see how you're arriving at your
> position.  The key difference is that you see MTA-STS and DANE as
> analogous to HSTS in setting a mandatory security policy for the
> client.  But the analogy is crucially imperfect.
>
>     * With browsers, given an "http://" URL or bare domain in the
>       browser's address bar, the client either honours that and uses
>       an unauthenticated, unencrypted channel, or given HSTS
>       unconditionally upgrades to encrypted authenticated HTTPS.
>
>     * With SMTP, there isn't a second email address format for email
>       delivery over TLS.  The MTA chooses the best available security
>       level opportunistically.  The baseline is cleartext delivery.
>
>     * SMTP upgrades to (unauthenticated) STARTTLS opportunistically,
>       when offered by the peer.  Even in the absence of DANE, MTA-STS,
>       etc., the sender can and most often does use STARTTLS (~92%
>       of the time in/out of Gmail).  Which is sufficient to deal
>       with passive monitoring.
>
>     * But active attacks can forge MX replies, strip STARTTLS or
>       MiTM the TLS session.
>
>     * What DANE and MTA-STS (after first contact) do is harden the
>       peer signal against active attack, *enabling* the sending system
>       to negotiate the highest shared security level.
>
>     * Neither *obligates* the sending system to use them without
>       exceptions.
>
>     * This is in part because even without either, STARTTLS is then
>       typically used, and is often viewed as an adequate compromise
>       between security and reliabile delivery.
>

I'm sorry, but I don't see how any of this is meaningfully different from
the
situation with HSTS. In both cases, the receiving system indicates that
the sending system ought to use secure transport, and if the sending
system conforms to the specification providing that indication, it is
required to use secure transport. See:
https://tools.ietf.org/html/rfc8461#section-5

"

 When sending to an MX at a domain for which the sender has a valid,
   non-expired MTA-STS Policy, a Sending MTA honoring MTA-STS applies
   the result of a policy validation failure in one of two ways,
   depending on the value of the policy "mode" field:

   1.  "enforce": In this mode, Sending MTAs MUST NOT deliver the
       message to hosts that fail MX matching or certificate validation
       or that do not support STARTTLS."



DANE and MTA-STS describe what a sender must do *when* doing DANE
> or MTA-STS, in order to get a result that is (more) resistant to
> active downgrade attacks, but they are not mandates.  The sender
> can elect to not implement either or both,


This seems to be precisely the situation with HSTS. Clients are not
obligated
to implement HSTS.



> or to skip either or
> both for selected destinations.
>

I actually don't see this text in 8461. Can you supply a link?



All that this draft does is specify a way for the sending system
> to give the user some control over the handling of his message,
> so that MUAs and downstream relays can recognize the user's
> preference and perhaps take it into account.


That's one read of it, but another is that it allows the sender to
instruct the intermediary to override the receiver's clearly expressed
preferences.


We should keep in mind that email is often the medium used to
> communicate about operational failures.  And that not infrequently,
> insecure email is the medium through which more essential security
> is brought back into service elsewhere.
>

Well, this seems like potentially an argument that MTA-STS is a bad idea,
but it's not clear to me that this document is the appropriate fix, for the
reasons I indicate above.

-Ekr

v2.23.0 | Report a Bug | By Email