Web server secured? Good, now let's talk about e-mail While Website owners may have noticed the need to get rid of old, buggy or weak crypto, those operating e-mail servers seem to be operating on autopilot. Not in a good way, either: the world of e-mail is headed for “controlled flight into terrain” if sysadmins don't grab the controls and get to work, the researchers from …
If it has been, it would explain why e-mail is so insecure as TLS 1.3 isn't out yet...
While using TLS for e-mail is a step forward, it's still not really a substitute for end-to-end encryption.
And then there's the problem of leaking the identities of the communicating parties.
Lots of work to be done!
The first step in solving this, the paper says, is for players like Google, Microsoft and Yahoo to push the deprecation of insecure e-mail mechanisms. This would force sysadmins to follow, since if you can't handshake with Gmail (for example), your users are bound to notice.
I would be very careful with that idea because that breaks the backwards compatibility model of the Net. I think I know what you mean to achieve, but this has to be done in stages.
The way to do this is to update the RFC to make TLS the default, and add an email flag that can tell an email server not to route an email if it cannot establish an encrypted connection. That still won't stop an out of date MTA, but support for this could be taken up in the handshake so email does not even get handed off to an MTA which does not support this updated model (or is not configured to support it, but it's pretty much impossible to check that without complete breaking how email works). You need the fallback because there are countless services and devices that use boring standard plaintext SMTP, and they would break if you just started to arbitrary impose demands without a fallback position.
At the moment it's not client to MTA traffic that is the problem, but MTA to MTA. My own ISP supports the highest possible crypto and I can see in the message headers that those with correctly configured servers have indeed had a TLS protected transmission. Unsurprisingly, any UK government email delivered via MessageLabs comes over cleartext SMTP - they don't even try.
Gmail does, though, here is a snippet of a header from an email from El Reg (anonymised to protect the guilty :) ):
Received: from mail-yk0-f181.google.com ([209.85.160.181]) by mxin015.xxxx.xxxx with esmtps (TLSv1.2:AES128-GCM-SHA256:128) (Exim 4.84 (FreeBSD)) (envelope-from <xxxxxxx@xxxxxx.com>)
Granted, still not the best crypto but it's better than nothing. THAT is where this should start - maybe even tie a cert download to DNS services so you can ensure whoever is trying to mount a Man In the Middle attack will then not just have to break the link but also hack into your DNS - that's two bits to break instead of one, and some providers such as EasyDNS already provide monitoring services agains domain highjacks.
The Internet works because we remain careful with what we change - let's not try to run before we can walk, shall we?
Why try if it's going via a US-owned service provider?
Because they still have to pretend to do something more than just hand off a copy of what they handle to the US? Otherwise it won't be long before they get taken out of the loop. The "parliament.uk" domain has already been taken off MessageLabs, so thankfully someone is finally paying attention.
I would be very careful with that idea
I won't be. I'll call it damn stupid.
Another bunch joins the "my threat model is the only threat model" crowd.
We used to complain that there weren't enough people practicing IT security. Now apparently the problem is that too many are practicing without bothering to actually learn about it.
As soon as Let's Encrypt can get me a certificate, I'm going to get one. My website should be HTTPS-only by mid-December with a little luck. (The hard work is just content checking, to make sure all embedded content is also HTTPS and therefore doesn't trigger mixed content warnings.)
But SMTP? That terrifies me. I was a messaging administrator for 15 years before I switched to another technology this year. I've done that in healthcare, banking, and other sectors - I've got plenty of experience with doing SMTP+TLS, yet it's still deeply scary.
And it's not the setup of my systems that's really the issue. It's other people's systems. Which are often badly set up and badly maintained. If Blackadder had continued on to do a series in which he worked in IT, the conversation would go something like this:
Junior BOFH - "I want to see how an email system is run... so badly!"
Blackadder - "Well, you've come to the right place. An email system hasn't been run this badly since Hillary Clinton's campaign manager found a cc:Mail CD and a spare half hour..."
In theory, it should be fine. Very few people verify the certificates' signature chain. Or that the hostname matches the certificate. Or the TLS version, the ciphers, or much of anything else. They just use TLS opportunistically to ensure encryption over the public network.
Although it is odd that the only reason it'll be fine is that SMTP+TLS is almost always so badly set up it's actually very insecure.
But I know how complicated this is, and I recall what happened whenever a commercial partner's security team decided to try and enforce proper security in this area. Those were the "interesting days". Very long and very interesting...
And that's what terrifies me about this. The part where everyone else has to learn what I learned years ago - nobody wants to do this properly, they just want to do it well enough that it ticks the box marked "email to partner organisations is encrypted during transport".
Basically, it'll be a right mess.
I'm glad I'm out of the messaging game!
This will be fun when openssl is banned by the UK government because it has working encryption...
As far as I know, SSL protection is the only saving grace one specific government department has for what is a mistake of embarrassing proportions (read: UK wide), so I suspect anyone making noises in that direction will end up with a quiet word from someone rather high up to shut the f*ck up. In a few months that may change, but for the moment banning OpenSSL or any other crypto idea would leave them with no plausible protection. Not going to happen.
The recent increase in HTTPS certificate security (moving certificates from 1024 to 2048 bit)
A meaningless statement, since X.509v3 certificates will pretty much always be longer than 2048 bits. Oh, are they referring to a key length? Perhaps they should learn how to use technical terms correctly.
millions of hosts are currently misconfigured to allow AUTH-PLAIN over unencrypted connections
They're only "misconfigured" if the administrators thought they were specifying something else. Perhaps these researchers should learn that their threat model is not everyone's threat model.
terrifying conclusions
Oh, please. Could we restrain the doomsaying just a little bit?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
