Re: SSL/TLS and port 587
Ed Gerck wrote: List, I would like to address and request comments on the use of SSL/TLS and port 587 for email security. The often expressed idea that SSL/TLS and port 587 are somehow able to prevent warrantless wiretapping and so on, or protect any private communications, is IMO simply not supported by facts. Warrantless wiretapping and so on, and private communications eavesdropping are done more efficiently and covertly directly at the ISPs (hence the name warrantless wiretapping), where SSL/TLS protection does NOT apply. There is a security gap at every negotiated SSL/TLS session. It is misleading to claim that port 587 solves the security problem of email eavesdropping, and gives people a false sense of security. It is worse than using a 56-bit DES key -- the email is in plaintext where it is most vulnerable. Perhaps you'd like to expand upon this a bit. I am a bit confused by your assertion. tcp/587 is the standard authenticated submission port, while tcp/465 is the normal smtp/ssl port - of course one could run any mix of one or the other on either port. Are you suggesting that some postmasters/admins are claiming that their Submission ports are encrypted? -- [EMAIL PROTECTED] fingerprint: 1024D/89420B8E 2001-09-16 No one can understand the truth until he drinks of coffee's frothy goodness. ~~Sheik Abd-al-Kadir - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: SSL/TLS and port 587
Ed Gerck wrote, On 23/1/08 7:38 AM: The often expressed idea that SSL/TLS and port 587 are somehow able to prevent warrantless wiretapping and so on, or protect any private communications, is IMO simply not supported by facts. I would like to see some facts to support the assertion that the idea that SSL/TLS and port 587 are somehow able to prevent warrantless wiretapping is often expressed. A Google search for ssl port 587 warrantless wiretapping got exactly one hit, which was your posting to the mailing list where it had been archived on security-basic.blogspot.com and snarfed up by Google within the hour. (As an aside, see Google Taking Blog Comments Searching Real-Time? http://www.groklaw.net/article.php?story=20080122132516514 for a discussion of this remarkable update to their search engine). Sidney Markowitz http://www.sidney.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: SSL/TLS and port 587
* Ed Gerck: The often expressed idea that SSL/TLS and port 587 are somehow able to prevent warrantless wiretapping and so on, or protect any private communications, is IMO simply not supported by facts. Huh? Have you got a source for that? This is he first time I've heard of such claims. Message submission over 587/TCP gives the receiver more leeway regarding adjusting message contents to police (add a message ID, check the Date and From headers, and so on). The abuse management contract is also different: once you accept a message over 587/TCP, it's your fault (and your fault alone) if this message turns out to be spam. There's nothing related to confidentiality that I know of. -- Florian Weimer[EMAIL PROTECTED] BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: SSL/TLS and port 587
At 10:38 AM -0800 1/22/08, Ed Gerck wrote: The often expressed idea that SSL/TLS and port 587 are somehow able to prevent warrantless wiretapping and so on, or protect any private communications, is IMO simply not supported by facts. Can you point to some sources of this often expressed idea? It seems like a pretty flimsy straw man. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: SSL/TLS and port 587
On 22 January 2008 18:38, Ed Gerck wrote: It is misleading to claim that port 587 solves the security problem of email eavesdropping, and gives people a false sense of security. It is worse than using a 56-bit DES key -- the email is in plaintext where it is most vulnerable. Well, yes: it would be misleading to claim that end-to-end security protects you against an insecure or hostile endpoint. But it's a truism, and it's not right to say that there is a security gap that is any part of the remit of SSL/TLS to alleviate; the insecurity - the untrusted endpoint - is the same regardless of whether you use end-to-end security or not. It's probably also not inaccurate to say that SSL/TLS protects you against warrantless wiretapping; the warrantless wiretap program is implemented by mass surveillance of backbone traffic, even AT+T doesn't actually forward the traffic to their mail servers, decrypt it and then send it back to the tap point - as far as we know. When the spooks want your traffic as decrypted by your ISP server, that's when they *do* go get a warrant, but the broad mass warrantless wiretapping program is just that, and it'd done by sniffing the traffic in the middle. SSL/TLS *does* protect you against that, and the only time it won't is if you're singled out for investigation. This is not to say that it wouldn't be possible for all ISPs to collaborate with the TLAs to log, sniff or forward the decrypted traffic from their servers, but if they can't even set up central tapping at a couple of core transit sites of one ISP without someone spilling the beans, it seems improbable that every ISP everywhere is sending them copies of all the traffic from every server... cheers, DaveK -- Can't think of a witty .sigline today - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: SSL/TLS and port 587
Bodo Moeller wrote: You don't take into account the many users these days who use wireless Internet access from their laptop computers, typically essentially broadcasting all network data to whoever is sufficiently close and sufficiently nosy. Yes. Caveats apply but SSL/TLS is useful and simple for this purpose. Of course using SSL/TLS for e-mail security does not *solve* the problem of e-mail eavesdropping (unless special care is taken within a closed group of users), but it certainly plays an important role in countering eavesdropping in some relevant scenarios. The problem is when it is generalized from the particular case where it helps (above) to general use, and as a solution to prevent wireless wiretapping. For example, as in this comment from a data center/network provider: - Now, personally, with all the publicly available info regarding warrantless wiretapping and so on, why any private communications should be in the clear I just don't know. Even my MTA offers up SSL or TLS to other MTA's when advertising its capabilities. The RFC is there, use it as they say. - Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: SSL/TLS and port 587
On Tue, 22 Jan 2008 21:49:32 -0800 Ed Gerck [EMAIL PROTECTED] wrote: As I commented in the second paragraph, an attack at the ISP (where SSL/TLS is of no help) has been the dominant threat -- and that is why one of the main problems is called warrantless wiretapping. Further, because US law does /not/ protect data at rest, anyone claiming authorized process (which the ISP itself may) can eavesdrop without any required formality. Please justify this. Email stored at the ISP is protected in the U.S. by the Stored Communications Act, 18 USC 2701 (http://www4.law.cornell.edu/uscode/18/2701.html). While it's not a well-drafted piece of legislation and has been the subject of much litigation, from the Steve Jackson Games case (http://w2.eff.org/legal/cases/SJG/) to Warshak v. United States (http://www.cs.columbia.edu/~smb/blog/2007-06/2007-06-19.html), I don't see how you can say stored email isn't protected at all. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: SSL/TLS and port 587
At 9:49 PM -0800 1/22/08, Ed Gerck wrote: Can you point to some sources of this often expressed idea? It seems like a pretty flimsy straw man. It is common with those who think that the threat model is traversing the public Internet. I'll take that as a no. For examples on claiming that SSL/TLS can protect email privacy, That's not what I asked, of course. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: SSL/TLS and port 587
Steven M. Bellovin wrote: On Tue, 22 Jan 2008 21:49:32 -0800 Ed Gerck [EMAIL PROTECTED] wrote: As I commented in the second paragraph, an attack at the ISP (where SSL/TLS is of no help) has been the dominant threat -- and that is why one of the main problems is called warrantless wiretapping. Further, because US law does /not/ protect data at rest, anyone claiming authorized process (which the ISP itself may) can eavesdrop without any required formality. Please justify this. Email stored at the ISP is protected in the U.S. by the Stored Communications Act, 18 USC 2701 (http://www4.law.cornell.edu/uscode/18/2701.html). While it's not a well-drafted piece of legislation and has been the subject of much litigation, from the Steve Jackson Games case (http://w2.eff.org/legal/cases/SJG/) to Warshak v. United States (http://www.cs.columbia.edu/~smb/blog/2007-06/2007-06-19.html), I don't see how you can say stored email isn't protected at all. As you wrote in your blog, users really need to read those boring [ISP] licenses carefully. ISP service terms grant the disclosure right on the basis of something broadly called valid legal process or any such term as defined /by the ISP/. Management access to the account (including email data) is a valid legal process (authorized by the service terms as a private contract) that can be used without any required formality, for example to verify compliance to the service terms or something else [1]. Frequently, common sense and standard use are used to justify such access but, technically, no justification is actually needed. Further, when an ISP such as google says Google does not share or reveal email content or personal information with third parties. one usually forgets that (1) third parties may actually mean everyone on the planet but you; (2) third parties also have third parties; and (3) #2 is recursive. Mr. Councilman's case and his lawyer's declaration that Congress recognized that any time you store communication, there is an inherent loss of privacy was not in your blog, though. Did I miss something? Cheers, Ed Gerck [1] in http://mail.google.com/mail/help/about_privacy.html : Of course, the law and common sense dictate some exceptions. These exceptions include requests by users that Google's support staff access their email messages in order to diagnose problems; when Google is required by law to do so; and when we are compelled to disclose personal information because we reasonably believe it's necessary in order to protect the rights, property or safety of Google, its users and the public. For full details, please refer to the When we may disclose your personal information section of our privacy policy. These exceptions are standard across the industry and are necessary for email providers to assist their users and to meet legal requirements. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: SSL/TLS and port 587
On Wed, 23 Jan 2008 08:10:01 -0800 Ed Gerck [EMAIL PROTECTED] wrote: Steven M. Bellovin wrote: On Tue, 22 Jan 2008 21:49:32 -0800 Ed Gerck [EMAIL PROTECTED] wrote: As I commented in the second paragraph, an attack at the ISP (where SSL/TLS is of no help) has been the dominant threat -- and that is why one of the main problems is called warrantless wiretapping. Further, because US law does /not/ protect data at rest, anyone claiming authorized process (which the ISP itself may) can eavesdrop without any required formality. Please justify this. Email stored at the ISP is protected in the U.S. by the Stored Communications Act, 18 USC 2701 (http://www4.law.cornell.edu/uscode/18/2701.html). While it's not a well-drafted piece of legislation and has been the subject of much litigation, from the Steve Jackson Games case (http://w2.eff.org/legal/cases/SJG/) to Warshak v. United States (http://www.cs.columbia.edu/~smb/blog/2007-06/2007-06-19.html), I don't see how you can say stored email isn't protected at all. As you wrote in your blog, users really need to read those boring [ISP] licenses carefully. ISP service terms grant the disclosure right on the basis of something broadly called valid legal process or any such term as defined /by the ISP/. Management access to the account (including email data) is a valid legal process (authorized by the service terms as a private contract) that can be used without any required formality, for example to verify compliance to the service terms or something else [1]. Frequently, common sense and standard use are used to justify such access but, technically, no justification is actually needed. Further, when an ISP such as google says Google does not share or reveal email content or personal information with third parties. one usually forgets that (1) third parties may actually mean everyone on the planet but you; (2) third parties also have third parties; and (3) #2 is recursive. You're confusing two concepts. Warrants apply to government behavior; terming something a wireless wiretap carries the clear implication of government action. Private action may or may not violate the wiretap act or the Stored Communications Act, but it has nothing to do with warrants. Mr. Councilman's case and his lawyer's declaration that Congress recognized that any time you store communication, there is an inherent loss of privacy was not in your blog, though. Did I miss something? Since the Councilman case took place several years before I started my blog, it's hardly surprising that I didn't blog on it. And it turns out that Councilman -- see http://epic.org/privacy/councilman/ for a summary -- isn't very interesting any more. The original district court ruling, upheld by three judges of the Court of Appeals, significantly weakened privacy protections for email. It was indeed an important and controversial ruling. However, case was reheard en banc; the full court ruled that the earlier decisions were incorrect, which left previous interpretations of the wiretap law intact. As far as I can tell, it was never appealed to the Supreme Court. (The ultimate outcome, which isn't very interesting to this list, is discussed in http://pacer.mad.uscourts.gov/dc/opinions/ponsor/pdf/councilman%20mo.pdf) You are, of course, quite correct that ISP terms of service need to be read carefully. Cheers, Ed Gerck [1] in http://mail.google.com/mail/help/about_privacy.html : Of course, the law and common sense dictate some exceptions. These exceptions include requests by users that Google's support staff access their email messages in order to diagnose problems; when Google is required by law to do so; and when we are compelled to disclose personal information because we reasonably believe it's necessary in order to protect the rights, property or safety of Google, its users and the public. For full details, please refer to the When we may disclose your personal information section of our privacy policy. These exceptions are standard across the industry and are necessary for email providers to assist their users and to meet legal requirements. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: SSL/TLS and port 587
Steven M. Bellovin wrote: You're confusing two concepts. Warrants apply to government behavior; terming something a wireless wiretap carries the clear implication of government action. Private action may or may not violate the wiretap act or the Stored Communications Act, but it has nothing to do with warrants. First, there is no confusion here; I was simply addressing both issues as in my original question to the list: The often expressed idea that SSL/TLS and port 587 are somehow able to prevent warrantless wiretapping and so on, or protect any private communications, is IMO simply not supported by facts. Second, those two issues are not as orthogonal as one might think. After all, an ISP is already collaborating in the case of a warrantless wiretap. So, where would the tap take place: 1. where the email is encrypted, or 2. where the email is not encrypted. Considering the objective of the tap, and the expenses incurred to do it, it seems quite improbable to choose #1. Thanks for Mr. Councilman's case update. I mentioned it only because it shows what does happen and the economic motivations for it, none of which could have been prevented by SSL/TLS protecting email submission. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: SSL/TLS and port 587
On Tue, Jan 22, 2008 at 10:38:24AM -0800, Ed Gerck wrote: List, I would like to address and request comments on the use of SSL/TLS and port 587 for email security. The often expressed idea that SSL/TLS and port 587 are somehow able to prevent warrantless wiretapping and so on, or protect any private communications, is IMO simply not supported by facts. Nothing of the sort, TLS on port 587 protects replayable *authentication* mechanisms, suchs as PLAIN and LOGIN. It can also allow the client to authenticate the server (X.509v3 cert) and preclude MITM attacks on mail submission. I've not seen any reputable parties claiming that TLS submission is protection against intercepts. I maintain the TLS code for Postfix, the documentation does not anywhere make such claims. However we do support TLS sensitive SASL mechanism selection: http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only http://www.postfix.org/postconf.5.html#smtp_sasl_tls_security_options which is highly suggestive of using TLS to protect plain-text passwords in flight. -- /\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAILMorgan Stanley confidentiality or privilege, and use is prohibited. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
