No Need For Black Chambers
-
Upload
sba-research -
Category
Internet
-
view
411 -
download
0
Transcript of No Need For Black Chambers
No Need for BlackChambers
Tes�ng TLS in the E-mailEcosystem at Large
ARES16Wilfried Mayer, Aaron Zauner,
Mar�n Schmiedecker, Markus Huber
Background
Transport Layer Security
• Most widely used cryptographic protocol• Lots of research for HTTPS• Not for systems like E-mail
◦ Durumeric et al. (IMC’15 and 32C3)◦ Holz et al. (NDSS’16)
3
Background
• Public mail services heavily used• Millions of smaller mail-daemons• E-mail not invented with security in mind
4
Background
Port TLS Protocol Usage25 STARTTLS SMTP Transmission110 STARTTLS POP3 Retrieval143 STARTTLS IMAP Retrieval465 Implicit SMTPS Submission587 STARTTLS SMTP Submission993 Implicit IMAPS Retrieval995 Implicit POP3S Retrieval
5
Methodology
Transparent Scanning
• WHOIS / RIPE entry explaining• Webpage on the scan host explaining• No a�empt to hide
14
Methodology
Considera�ons
• People will be annoyed!• ... they even might write to yourmanagement or unrelated 3rd par�es
• ... or call your office• ... or write offensive e-mails
16
ResultsData collec�on
• 7 TCP ports• 5 TLS versions• ∼50 cipher suites
• ∼10 billion TLS handshakes• April to August 2015
• 20,270,768 scans
17
Results
Protocol Version Support / TCP Port
0
10
20
30
40
50
60
70
80
90
100
SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2
%
25110143465587993995
18
Results
Protocol Version Support / TCP Port
25 465 587 RetrievalSSLv2 + SSLv3 < 0.2%TLSv1.0 upwards 8% 45% 18% 32–37%TLSv1.1 + TLSv1.2 < 0.5%
19
Results
Key exchange security - Diffie-Hellman
• DH primes in SMTP◦ Large amount of 512 bit (EXPORT)◦ One 512-bit prime used by 64%, one 1024-bitprime used by 69% (Pos�ix)
◦ ≤ 1024 bit is very common in all protocols
20
Results
Key exchange security - Ellip�c CurveDiffie-Hellman
• SMTP: 99% use secp256r1 curve• POP/IMAP:∼70% use secp384r1 curve
21
ResultsX.509: Trust / TCP Port
0
10
20
30
40
50
60
70
ok self signed unable
%
25110143465587993995
Compared to Mozilla Truststore:ssc: self-signed, ok: CA signed, local: unable to get local issuer
24
ResultsX.509 Cer�ficates
• 99% of leafs use RSA (vs. e.g. ECDSA)• Trusted: ≥ 90% 2048 bit,≤ 10% 4096 bit• Self-signed: 15%–40% 1024 bit• Common name:
Name Key Size IPsParallels Panel - Parallels 2048 306,852...Automa�c. . . IMAP SSL key - Courier Mail Server 1024 83,976...
25
Results
X.509: Weak RSA keys
• Similar to Heninger et al.• 40,268,806 cer�ficates analyzed• 2,354,090 unique RSA moduli• Fast-GCD (djb/ Heninger et al.)• 456 RSA private keys recovered
26
Results
Addi�onal findings
• Open-source mail daemons are easilyDoS’ed - (Re)discovered a dovecot bug:(CVE-2015-3420, Hanno Boeck)
• OpenSSL will establish EXPORTciphersuites with TLSv1.1 + TLSv1.2(although the RFC explicitly says MUSTNOT).
27
Mi�ga�on
Solid server configura�ons & awareness
• bettercrypto.org
• Mozilla Server TLS Security guide• RFC 7457 – Summarizing Known A�ackson TLS and DTLS
• RFC 7525 – Recommenda�ons for SecureUse of TLS and DTLS
• Educa�ng administrators, managers andopera�onal people
28
Mi�ga�on
DNSSEC / DANE
• DNS-Based Authen�ca�on of NamedEn��es
• DNSSEC shi�s trust to TLDs instead of CAs• It’s s�ll one op�on that could work, sowhy not deploy in addi�on?
29
Mi�ga�on
E-Mail ecosystem
• DKIM (DomainKeys Iden�fied Mail)• SPF (Sender Policy Framework)• DMARC (Domain-based MessageAuthen�ca�on, Repor�ng, andConformance)
30
Mi�ga�on
New efforts
• Let’s Encrypt by EFF et al.• DEEP (Deployable Enhanced EmailPrivacy) - similar to how HSTS works forHTTPS (MUA to Server)
• SMTP-STS• Con�nued scans - published data sets
31