Right. An attacker who can inject false DNS resolutions can, of course, redirect either the fixed mta-sts host or insert a spoofed TXT response--but by allowing the attacker to specify what hostname to use, it is more likely that attacks which indirectly allow an attacker to obtain a valid cert for a subdomain (as in the Tumblr or Blogspot case) can be leveraged (along with DNS injection) to serve a spoofed policy for the whole domain.
On Thu, May 10, 2018 at 4:47 PM Viktor Dukhovni <[email protected]> wrote: > > > > On May 10, 2018, at 10:41 AM, Warren Kumari <[email protected]> wrote: > > > > [ Edit: Could the format of the _mta-sts to be something like: > > "_mta-sts.example.com. TXT "v=STSv2; id=20180114T070707; label=foo" ? > > > > This would mean that the policy can be fetched from foo.example.com - > the > > record *could* specify "label=mta-sts" if it wanted - this allows this > to work > > without "reserving" a DNS label. ] > > Absent DNSSEC (which is the sad reason that MTA-STS exists at all) the TXT > record is untrusted data, and so should likely not be able to redirect the > policy source to an arbitrary host in the domain. I think that rather > weakens > the security model... > > -- > Viktor. > > _______________________________________________ > Uta mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/uta >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
