SSL/TLS passive sniffing

Victor Duchovni Victor.Duchovni at MorganStanley.com
Tue Nov 30 22:53:38 EST 2004 

On Tue, Nov 30, 2004 at 03:32:35PM -0500, Ian Grigg wrote:

> > On Tue, Nov 30, 2004 at 01:39:42PM -0500, Victor Duchovni wrote:
> >> 8221    (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
> >> 6529    (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
> ...
> 
> Great stats, guys!  Can either/both comment on what proportion
> of connections you are seeing that use STARTTLS as opposed to
> not using STARTTLS?
> 

I only have stats for accepted mail, not for invalid recipients, RBL
rejects (apologies to gnu at toad.com), and so on. Of the accepted mail in
the sample, TLS accounts for 15212 out of 144843 messages or 10.5%. So TLS
is not uncommon (volume weighted) among email senders. Email encryption
is mostly opportunistic: peer verification is the exception rather
than the norm. For example, Sendmail.com's certificate is self-signed
and the CN (tls.sendmail.com) does not match the name of the MX host
(smtp.sendmail.com).

    $ host -t mx sendmail.com
    sendmail.com mail is handled by 50 righton.sendmail.com.
    sendmail.com mail is handled by 10 smtp.sendmail.com.

    $ openssl s_client -starttls smtp -quiet -verify 3 \
    	-CAfile /etc/postfix/serverCAs.pem \
	-connect smtp.sendmail.com:25
    verify depth is 3
    depth=1 /C=US/ST=California/L=Emeryville/O=Sendmail, Inc./OU=IT/CN=Sendmail Certification Officer/emailAddress=rootca at sendmail.com
    verify error:num=19:self signed certificate in certificate chain
    verify return:1
    depth=1 /C=US/ST=California/L=Emeryville/O=Sendmail, Inc./OU=IT/CN=Sendmail Certification Officer/emailAddress=rootca at sendmail.com
    verify return:1
    depth=0 /C=US/ST=California/L=Emeryville/O=Sendmail, Inc./OU=IT/CN=tls.sendmail.com/emailAddress=postmaster at sendmail.com
    verify return:1
    220 foon.sendmail.com ESMTP Sendmail Switch-3.1.7/Switch-3.1.7; Tue, 30 Nov 2004 19:44:59 -0800

This is not surprising. Since MX lookups are not protected by any
cryptographic mechanism, sites that want to exchange email securely
with the *right* TLS peer need to bypass MX lookups and hardcode each
other's MX hosts in their mailer (aka transport) tables, otherwise peer
verification is largely useless, anyone who can redirect the SMTP stream
can also redirect the DNS queries (or did the former via the latter).

-- 

 /"\ ASCII RIBBON                  NOTICE: If received in error,
 \ / CAMPAIGN     Victor Duchovni  please destroy and notify
  X AGAINST       IT Security,     sender. Sender does not waive
 / \ HTML MAIL    Morgan Stanley   confidentiality or privilege,
                                   and use is prohibited.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list