[Cryptography] Facebook on the state of STARTTLS
Tom Ritter
tom at ritter.vg
Tue May 20 14:06:54 EDT 2014
On 20 May 2014 11:36, Eric Mill <eric at konklone.com> wrote:
> Could you explain why CA certs are futile for SMTP? It's not immediately
> obvious to me. (I'm new to STARTTLS, have never configured it.)
Short: MX records (without DNSSEC) are unauthenticated and can point
to a domain the attacker can legitimately get a certificate for.
Long:
If I do an MX lookup on konklone.com, I get the following:
;; ANSWER SECTION:
konklone.com. 3599 IN MX 10 mx-3.rightbox.com.
konklone.com. 3599 IN MX 10 mx-2.rightbox.com.
konklone.com. 3599 IN MX 10 mx-1.rightbox.com.
If I use http://www.checktls.com/ to check if I can send you email
securely, I see that I get a certificate with the commonName of
*.pobox.com. So the cert doesn't match rightbox.com - and if I were
doing strict name checking, I would reject it. But let's pretend we
do replace the cert, or stick in a SAN for *.rightbox.com, so now it
passes.
Well, we're assuming an attacker who can modify traffic on the wire,
otherwise you don't even need a CA cert, a self-signed opportunistic
encrypted channel is sufficient to protect it against a passive
adversary.
So this attacker doesn't present a false certificate, because you're
doing strict name checking and requiring a valid CA-signed cert.
Instead they just return a MX record to ritter.vg. I own ritter.vg
and thus can get a valid CA-signed certificate for it. So now when
you want to email someone, you do an MX lookup, get directed to
ritter.vg, check that the certificate matches and is CA-signed, and
you deliver the mail.
-tom
More information about the cryptography
mailing list