[Nottingham] Email downgrade attacks?

Martin martin at ml1.co.uk
Thu Nov 13 14:09:15 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 13/11/14 09:15, Mike Cardwell wrote:
> * on the Thu, Nov 13, 2014 at 08:46:47AM +0000, Jason Irwin wrote
> 
>>> Annoyingly, this breaks DANE. I publish fingerprints of the
>>> certs which my MX servers use
>> I think I followed all that. So DANE coupled with DNSSEC is a way
>> to verify that the sender/receiver is who they claim to be?
[...]
> I've only recently started playing with Postfix myself. Have it on
> my primary MX/submission server. Still using Exim on the secondary
> for now.

OK... For a few bits... (And bytes ;-) )


I've long been running postfix with Amavis inserted into the flow to
act as a virtual switch-box for enforcing connection policies/strategy.

So with that, I require that the email connections for known people
must be encrypted and authenticated. There are then a few other
permutations for how various external email comes in and for how
'internal' email connects.

For known people, ALL email connections are ALWAYS encrypted, for just
in case they are on the WiFi. That also avoids any danger of getting
the routing wrong to risk anything unencrypted going astray - it is
all always encrypted anyway, regardless!


However:

The public stuff gets accepted however it arrives. It is far to
disruptive to try to force the rest of the world to only connect
encrypted. (Hence, ISPs get the chance to tamper with the data packets
to mask out any encryption requests.)


And for "trust":

Well, I certainly DO NOT TRUST *ANY* CAs...!

Working on the principle that you have to trust the domain owner's DNS
anyway, then that should be the best place to pick up any
security/certificate cleverness...

(I also check the rDNS to catch spoofing. Unfortunately, there are too
many hideously not properly set up 'cloud' website/email servers to
spoil that being a guaranteed catch-all reliable check.)


And there are far too many users completely unaware that they are
trying to send their emails directly from their home connection or
from the pub or dodgy airport WiFi...


There must be a better system ;-)

Cheers,
Martin


- -- 
- - ------------------ - ----------------------------------------
- -    Martin Lomas    - OpenPGP (GPG/PGP) Public Key: 0xCEE1D3B7
- - martin @ ml1 co uk - Import from   hkp://subkeys.pgp.net   or
- - ------------------ - http:// ml1 .co .uk/martin_ml1_co_uk.gpg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlRku30ACgkQ+sI3Ds7h07fD+ACfWsiRcmrJRDP2arUCyddw0C1n
Dv8Anit9Wyj/VBJFluWSE0sEJnasCpg+
=rOCD
-----END PGP SIGNATURE-----

More information about the Nottingham mailing list