[Nottingham] Email downgrade attacks?

Martin martin at ml1.co.uk
Wed Nov 12 20:28:32 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/11/14 15:48, Mike Cardwell wrote:
> * on the Wed, Nov 12, 2014 at 02:49:45PM +0000, Jason Irwin wrote:
> 
>> https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks

That's quite a sneaky "OUCH"...

But then again, that is a rather dubious 'workaround' to intercept
email spam and malware... And everything else... Except I don't think
it should be done that way!


> Annoyingly, this breaks DANE. I publish fingerprints of the certs
> which my MX servers use, in the DNS:
[...]
> *required* and that a certificate matching the fingerprint I've
> published *must* be expected.
> 
> So if some cretinous ISP like Verizon comes along and strips out
> STARTTLS from ... the message will be bounced back to the sender
> instead of delivered. ...

Which is very good if you know what is happening or if you have
control of both end points.

However for the unknowing users, all they will see is that "it doesn't
work" and you don't receive or even see the mail you might hope for.

I also doubt that the message giving the reason for the bounce will be
intelligible...


However, given enough disruption and grief, that would eventually
cause enough of a headache to give rise to quite a stir...

Or... We become a segregated internet of the knowledgeable encrypted
alongside a wider group of the abused unencrypted.


This is looking like we cannot have any trust with any part of any
internet route. :-(

Long gone are the days of sysadmins taking pride in trust and of being
held in high esteem?...


Cheers,
Martin


- -- 
- - ------------------ - ----------------------------------------
- -    Martin Lomas    - OpenPGP (GPG/PGP) Public Key: 0xCEE1D3B7
- - martin @ ml1 co uk - Import from   hkp://subkeys.pgp.net   or
- - ------------------ - http:// ml1 .co .uk/martin_ml1_co_uk.gpg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlRjwt4ACgkQ+sI3Ds7h07fyEwCfXRopzdSfHL3q0JsnGXIBsYI7
E0EAn3sVi/3U2ZLgqzlTskBCghRNLLpZ
=6epZ
-----END PGP SIGNATURE-----

More information about the Nottingham mailing list