[Ach] Improving Applied Crypto Hardening Draft

Manuel Kraus ach at lsd.is
Fri Jan 10 09:42:17 CET 2014 

Hey there,

I'm not sure, if this is the right way to put suggestions.
Forgive me, if I'm wrong!

My suggestion:



a) Page 55

 Key Exchange Table

- What is EECDH? Maybe you mean ECDHE instead?

- You should add DHE as well, since this is the important non-ec key exchange on AES ciphers, like EDH is for the 3DES ciphers



b) I don't know how close you are to the guys at cert.at, but there are improvements possible too:

The website "http://lists.cert.at/cgi-bin/mailman/options/ach" isn't SSL by default!

I missed that detail and put my Ach-list password in cleartext... uhhh..



c) The list password is stored there in cleartext, I assume.



d) The mailing list MTA does not offer a client certificate for verification:

----
Datum: Jan 10 06:40:14 UTC (GMT)
Von: ach-bounces at lists.cert.at (cert.at)
An: manuel.kraus at lsd.is (lsd.is)

Sicherheit:
⚫⚫⚪⚪ VERSCHLÜSSELT (ANONYM) & PFS

Jurisdiktionen:
[Sender] AT|AT ➤ (...) ➤ DE|AT ➤ DE [Empfänger]

Geo-Source: MaxMind|WIPmania

------------------------------------------------------------

Rolle: SERVER-SERVER
Richtung: INBOUND
Gegenüber: nuwen.cert.at[83.136.33.135] (cert.at)
Land: AT|AT
Nachrichten-ID: 1B95F405DA
Protokoll: SMTP/TLSv1
Chiffre: DHE-RSA-AES256-SHA
Schlüssellänge: 256/256
Vorwärtsgerichtete Sicherheit (PFS): YES

------------------------------------------------------------

Zertifikatsinformationen

(Client did not present a certificate)

----



e) The mailing list MTA does offer a self-sigend server certificate only:

----
Datum: Jan 10 07:36:05 UTC (GMT)
Von: manuel.kraus at lsd.is (lsd.is)
An: ach at lists.cert.at (cert.at)

Sicherheit:
⚫⚫⚪⚪ VERSCHLÜSSELT (UNVERTRAUT) & PFS

Jurisdiktionen:
[Sender] DE ➤ DE|AT ➤ AT|AT ➤ (...) ➤ AT|AT [Empfänger]

Geo-Source: MaxMind|WIPmania

------------------------------------------------------------

Rolle: SERVER-SERVER
Richtung: OUTBOUND
Gegenüber: nuwen.cert.at[83.136.33.135]:25 (cert.at)
Land: AT|AT
Nachrichten-ID: EB650401CB
Protokoll: SMTP/TLSv1
Chiffre: DHE-RSA-AES256-SHA
Schlüssellänge: 256/256
Vorwärtsgerichtete Sicherheit (PFS): YES

------------------------------------------------------------

Zertifikatsinformationen

subject_CN=nuwen
issuer_CN=nuwen
fingerprint 45:4B:06:9C:B5:76:DC:8A:95:9B:04:F9:67:41:E0:F8
pkey_fingerprint=07:7B:11:D3:26:C9:B1:B0:32:32:94:3D:1B:D6:DE:20

depth=0 verify=0
CN=nuwen

depth=0 verify=1
CN=nuwen

----




Aside the missing security features at cert.at, I like your work as it fits my own activism in securing email transport.
Keep up the great work guys, the cyberwar is already ongoing!

A snipped out of my personal SMTP-experience in practice, you'll find here:

 http://blame.is (german language)

Enjoy!



Manuel Kraus

-- 
Linux® System Dienste
http://lsd.is

More information about the Ach mailing list