Re: [Uta] Recording from irtfopen on email security using TLS
Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 07 April 2016 19:41 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1BBD12D1B1 for <uta@ietfa.amsl.com>; Thu, 7 Apr 2016 12:41:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gCWyAv7Es1lA for <uta@ietfa.amsl.com>; Thu, 7 Apr 2016 12:41:17 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 674F412D0BA for <uta@ietf.org>; Thu, 7 Apr 2016 12:41:17 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 287CA284F25; Thu, 7 Apr 2016 19:41:16 +0000 (UTC)
Date: Thu, 07 Apr 2016 19:41:16 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: "uta@ietf.org" <uta@ietf.org>
Message-ID: <20160407194115.GI26423@mournblade.imrryr.org>
References: <BN3PR0301MB08678C5C40FDD9741697D201AD9F0@BN3PR0301MB0867.namprd03.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <BN3PR0301MB08678C5C40FDD9741697D201AD9F0@BN3PR0301MB0867.namprd03.prod.outlook.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/WkaqFWI03Hw6R6UT6QdYOAeWTcw>
Subject: Re: [Uta] Recording from irtfopen on email security using TLS
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: uta@ietf.org
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2016 19:41:22 -0000
On Wed, Apr 06, 2016 at 11:13:17PM +0000, Orit Levin (CELA) wrote: > For those who didn't attend the irtfopen session on Tue, I recommend viewing the recording at > https://www.youtube.com/watch?v=36WDbfKEIRI. > > The talk relevant to UTA starts at min 22. It provides a great intro to > the challenges around using email with TLS. While the talk was interesting and provides useful background it is also somewhat misleading. * Firstly it compares SMTP security with HTTPS, but the right comparison is with the Web, whether HTTP or HTTPS, not just the "secure" Web. What fraction of HTTP sites visited by users are HTTPS with valid certificates? I certainly find many HTTP-only sites, even sites of major server hardware vendors that provide firmware and software updates are HTTP-only, or routinely serve HTTP links from from HTTPS pages even if they support both. The state of SMTP transport security is not nearly as dire as presented. Yes, the "secure" portion of SMTP is typically only secure against passive attacks, but in practice more of the traffic may be at least somewhat protected than with HTTP. Opportunistic security *is* easier to deploy. * The dismissal of DANE in the Q&A is either disingenuous or naive. Yes, DNSSEC adoption is low (around 2% of domains in my survey), but it is not *zero* as with STS. Just as DANE requires adoption of new software (DANE capable MTAs, and DNSSEC validating resolvers), so would STS require adoption of new capabilities in client MTAs. DANE software is already available in Postfix and Exim, and in May will become part of the stable OpenSSL 1.1.0 release. I've identified 11.7k domains with working DANE (out of an estimated 100k similar domains that don't always appear on lists such as the Alexa 1M, which is not a particularly relevant list for email). Whether the solution is STS, DANE or both, neither will happen overnight. I estimate broad adoption of STS not much earlier than circa 2020--2022. In the same timeframe, the large providers could likely implement DNSSEC and DANE. Adoption of STS may be faster on the server side at the large providers, but client-side adoption of STS outside that set of providers will take longer than it would for DANE, because there is neither a stable specification, nor even experimental code in the various open-source MTAs. The following "well-known" domains (based on a current listing at Google's email transparency report) support DANE on the server side: registro.br mail.com mzk.cz bund.de jpberlin.de lrz.de posteo.de unitymedia.de octopuce.fr comcast.net t-2.net xs4all.net xs4all.nl debian.org freebsd.org gentoo.org ietf.org netbsd.org openssl.org samba.org torproject.org if we include domains that appeared in that report in the past, the list grows to include: travelbirdbelgie.be mailous.com societe.com t-2.com gohost.cz bayern.de ish.de kabelmail.de ruhr-uni-bochum.de tum.de unitybox.de lepartidegauche.fr dd24.net rrpproxy.net xworks.net aanbodpagina.nl jasperalblas.nl mijngastouderburo.nl steffann.nl isc.org I've identified > 11700 additional domains, but most are too small to account for a noticeable fraction of most senders' email. [ Even my domain is not listed, despite my best efforts to flood the ietf lists with my comments. :-) ] -- Viktor.
- [Uta] Recording from irtfopen on email security u… Orit Levin (CELA)
- Re: [Uta] Recording from irtfopen on email securi… Viktor Dukhovni