On Tue, May 20, 2014 at 03:58:22PM +0200, Per Thorsheim wrote:
> I still personally vote for disabling SSLv2
Which is the default in Postfix.
> and ANON ciphers used with STARTTLS as we do today. My reasoning is simple:
And simply wrong:
http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-09#section-8.2
> if we continue to support old & insecure ciphers etc, there is less
> incentive for moving forward to safer solutions.
Except that ANON ciphers are *not* insecure in the SMTP opportunistic
TLS threat model. Postfix SMTP *clients* turn off ANON ciphers when
connecting to servers with a TLS policy that requires authentication
("dane" with TLSA records present or "fingerprint", "secure", ...).
> We did discuss and
> change the scoring soon after the service launched, while originally
> being based on the scoring system from Ivan Ristic @ Qualys at
> ssllabs.com for https. Yes, perhaps stupid, but it seemed better than
> creating our own scoring system.
Opportunistic TLS in SMTP is nothing like mandatory TLS in HTTPS.
Yes, it uses the same protocol engine, but the threat model is
completely different. The sooner people stop carrying over flawed
reasoning from HTTPS to SMTP+STARTTLS the better.
Please change your site to reflect the correct risk model (opportunistic
TLS). You should also add support for DANE, so that DANE-capable
MTAs are not mis-identified as insecure (for example DANE-EE(3)
certificate usage obviates the need for the hostname to match).
> On May 13 Facebook published "The Current State of SMTP STARTTLS Deployment"
> https://www.facebook.com/notes/protect-the-graph/the-current-state-of-smtp-starttls-deployment/1453015901605223
Facebook made the same mistakes you did:
http://www.metzdowd.com/pipermail/cryptography/2014-May/021344.html
> Facebook are concerned over the lack of PFS. Right. Well, we started out
> by saying we were concerned over SSLv2, ANON suites and expired
> certificates.
PFS is always on for the anonymous ciphers, there are no long-term
secrets to compromise. I too encourage PFS, and wrote the initial
draft of:
http://www.postfix.org/FORWARD_SECRECY_README.html
which Wietse helpfully whipped into shape.
> One of our goals with starttls.info was to aid in the global deployment
> of STARTTLS, another goal was to improve the minimum level used by
> anyone deploying STARTTLS. That is until Viktors IETF proposal, or
> anything similar, reaches broad adoption on the Internet.
I'm all for metrics, but misleading metrics can be worse than no
metrics. Don't misdirect users to waste time solving non-problems.
--
Viktor.
