[Cryptography] Debunking the "SMTP TLS "s a mess" myth.

Roland C. Dowdeswell elric at imrryr.org
Wed Oct 5 10:36:14 EDT 2016


On Tue, Oct 04, 2016 at 02:10:03PM -0400, Phillip Hallam-Baker wrote:
>

> €‹The way to improve upon STARTTLS isn't actually to use DANE.
> 
> It would be to develop an infrastructure in which the active attacker doesn't
> know if their attack is going to be detected or not until after
> they have committed.
> 
> Something like 'pinning with fangs'.

To provide the risk of being caught, you don't really need an
infrastructure so much as the possibility of one.  I mentioned this
in a prior e-mail to this list: it would raise the bar significantly
to simply log hashes generated from the negotiate DH in STARTTLS
on both sides using the session key using SSL_export_keying_material
which implements IETF RFC 5705.

Now, you have the possibility of checking the postfix logs on both
sides to detect a MITM quite easily.

You could easily extend this to adding the hash to the received headers
which would make it so that end-users could test their connectivity to
their MTA easily.

And you could further extend it s.t. MUA's take the hashes from
the received headers and encode them into headers in their reply
so that the original sender could validate at least the first
hop---although this could be changed if the chain was MITMed on
the way back.  This, however, raises the bar a bit because to MITM
on the way there you will want to be convinced that you will be
able to MITM on the way back which may very well be quite some time
later and may go through a different path.

--
    Roland Dowdeswell                      http://Imrryr.ORG/~elric/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: email
Type: text/rfc822
Size: 3716 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161005/75c68074/attachment.bin>


More information about the cryptography mailing list