[Ach] filippo on SSL SMTP encryption

Aaron Zauner azet at azet.org
Wed Apr 1 22:58:12 CEST 2015

Hi Manuel,

Manuel Kraus wrote:
> Ever heard about the "killswitch" idea of the USG? HSTS invites for low
> effort, high gain attacks and there comes a time where the advisory
> won't need to stay undetected. Consider following example: If there's no
> official change on NSA network intelligence policy in the next future
> they'll start to operate in the open field with no regret and no mercy.
> Simply saying: You folks know already how it works, so what? There will
> be no need for them to do such things only in a stealthy way. Losing the
> ground for this argument has begun with the Snowden leaks. That's
> somehow a drawback of the leaks itself, we could say.

Sorry but that's handwaving. Also not how intelligence operations work.

> Or use the chinese example: They already make such things (network
> manipulation) in the open with no problems at all. HSTS/HPKP could help
> them to take the load off the chinese firewall by simply mass injecting
> their own people in the mentioned way. The users own webbrowsers will
> help the chinese goverment to restrict the internet access.

Are you suggesting active injection attacks are less of an operational
burden than simply blocking sites or using QoS and traffic shaping for
streams/connections to unwanted destinations (this is what they do today)?

BTW: The vast majority of chinese users still run Windows XP, which
neither supports HSTS nor HPKP.

> We'll see if such, I admit "theoretical", thing will take place one time
> or not. It's not that easy to make resilient risk assessments here,
> unless newspapers - or snowden docs - or chinese people - tell us about
> the next day. ;-)
> HSTS was the idea to ensure the use of encryption, with all the focus on
> that part of the problem. The DoS potential on the other hand I really
> won't drop under the desk that fast.

See above w.r.t. HSTS support in Windows XP. It just doesn't make sense
for them at scale and IMHO active injection attacks are a lot more
costly in terms of technical means and operational expenses than what
they're doing right now to censor the open internet and track/traffic
shape their users.

> As stated before, today DNSSEC helps my servers to gather correct DNS
> information. I admit I never have checked the effectiveness of it. The
> current implementation on clients is another thing, I still agree.
> Anyways, at least there's an add-on for Firefox and Chrome webbrowsers
> [1] which helps in detecting fishy things in the web. It needs the
> minimal effort to at least install them.

Yea that's nice for people like us. The run-of-the-mill user won't
install such a Add-on, they are not even aware of what DNSSEC is. If a
technology isn't deployed and works per default; it has failed.

> One thing is sure, I'll watch the DNSSEC topic and how it develops. I
> won't undeploy it as long it does not hurt my daily operation and I see
> at least some use.

I mean it can't hurt having it set-up. But I wouldn't solely rely on DNSSEC.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150401/09f196f6/attachment.sig>

More information about the Ach mailing list