[Ach] filippo on SSL SMTP encryption

Manuel Kraus ach at lsd.is
Wed Apr 1 22:46:20 CEST 2015

Am 01.04.2015 um 19:58 schrieb Aaron Zauner:
> I don't think you get the full picture here. Such an adversary has a
> /very/ high interest in his work being undetected. If they would be to
> massively DoS popular websites with injecting fake headers that would be
> noticed immediately. They also can't use these attacks to gain information.

Ever heard about the "killswitch" idea of the USG? HSTS invites for low
effort, high gain attacks and there comes a time where the advisory
won't need to stay undetected. Consider following example: If there's no
official change on NSA network intelligence policy in the next future
they'll start to operate in the open field with no regret and no mercy.
Simply saying: You folks know already how it works, so what? There will
be no need for them to do such things only in a stealthy way. Losing the
ground for this argument has begun with the Snowden leaks. That's
somehow a drawback of the leaks itself, we could say.

Or use the chinese example: They already make such things (network
manipulation) in the open with no problems at all. HSTS/HPKP could help
them to take the load off the chinese firewall by simply mass injecting
their own people in the mentioned way. The users own webbrowsers will
help the chinese goverment to restrict the internet access.

> So, yes: if you're on a carrier/backbone link and able to inject data in
> time, have access to a CA - you're able to DoS HPKP and -- maybe -- able
> to switch out HPKP headers on the first time of use. This effectively
> results in a DoS attack that will be detected almost immediately with no
> real advantage for the attacker, or am I missing something?

We'll see if such, I admit "theoretical", thing will take place one time
or not. It's not that easy to make resilient risk assessments here,
unless newspapers - or snowden docs - or chinese people - tell us about
the next day. ;-)
HSTS was the idea to ensure the use of encryption, with all the focus on
that part of the problem. The DoS potential on the other hand I really
won't drop under the desk that fast.

> Did nobody read my "DNSSEC doesn't work" post? :) No really. DNSSEC
> gives you /nothing/ over that, because neither your browser nor your
> local Operating System will be able to tell you that something is
> fishy and the chance of something soft-failing in the DNSSEC stack is
> not likely but almost certain. Aaron 
As stated before, today DNSSEC helps my servers to gather correct DNS
information. I admit I never have checked the effectiveness of it. The
current implementation on clients is another thing, I still agree.
Anyways, at least there's an add-on for Firefox and Chrome webbrowsers
[1] which helps in detecting fishy things in the web. It needs the
minimal effort to at least install them.

One thing is sure, I'll watch the DNSSEC topic and how it develops. I
won't undeploy it as long it does not hurt my daily operation and I see
at least some use.




More information about the Ach mailing list