ritter.vg
On the Sorry State of E-Mail Security
20 May 2012 23:34 EST

Something I've been interested in for the past few months is SSL/TLS, and in particular looking at undetectable attacks.

Censorship is detectable. You know you're being censored. Censorship always implies passive network tapping - the entity has to perform the tap to do the censorship. And censorship itself is an active attack - the entity blocks you from visiting the website.

But passive attacks are usually undetectable from the user's perspective. If a network is being tapped - either a corporate network, or the national backbone - you usually have no way of learning this. We have a pretty good idea that the NSA is tapping large swaths of the Internet, but because it's just whistleblowers it's not considered credible proof. The Swedish version however is well documented.

But active attacks aren't always detectable either. If Chrome didn't have cert pinning, who knows how long DigiNotar would have been undetected. If a CA is compromised, we won't be able to detect an attack. Bugs can bypass certificate validity checking too. It's a dangerous type of client bug that allows undetectable MITM, but we've seen them. And if a client isn't checking for the validity of a certificate, an attacker doesn't need a bug or CA compromise, they can just perform a MITM with a self-signed certificate.

When we think of "SSL clients" we think of web browsers. Sometimes email uses SSL too. Not always. When it doesn't, it's obviously easy to tap and read. But when it does, it's not much better.

Your individual client - Outlook or Thunderbird will require a valid certificate if it's configured to use SSL. But there's more to it than that. Without going into too much detail, Outlook is a Mail User Agent (MUA), and it talks to a Mail Transfer Agent (MTA). When you send an email, your MUA transfers it to a MTA, and the MTA transfers it to another MTA. That MTA-to-MTA transfer is rarely protected by SSL. When it is protected it rarely has a valid certificate. Even if it does have a valid certificate, it's almost never that a MTA requires a valid certificate.

The end result of this is that our entire email infrastructure is vulnerable to passive eavesdropping and undetectable active attacks. We have statistics. And we have examples. You can use the very awesome CheckTLS.com to run some tests on different mail servers. I ran a few tests myself:

There's no ubiquitous e-mail encryption (S/MIME or PGP), there's no requirement for a valid SSL certificate (for what it's worth), and there's no requirement for SSL at all. And there's no global plan for fixing it either. Yet.

Footnotes:

OONI, or the Open Observatory of Network Interference, was introduced at RECon 2011 (video of talk) and is a tool to detect surveillance and censorship in the world.

Even though Outlook and Thunderbird will require a valid CA-signed certificate if they're configured to use SSL, there's no Cert Patrol or Convergence for a mail client, so you'd never detect a CA compromise.

Comments
Add a comment...
required
required, hidden, gravatared

required, markdown enabled (help)
you type:you see:
*italics*italics
**bold**bold
[stolen from reddit!](http://reddit.com)stolen from reddit!
* item 1
* item 2
* item 3
  • item 1
  • item 2
  • item 3
> quoted text
quoted text
Lines starting with four spaces
are treated like code:

    if 1 * 2 < 3:
        print "hello, world!"
Lines starting with four spaces
are treated like code:
if 1 * 2 < 3:
    print "hello, world!"