Re: [exim] some OpenSSL topics

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] some OpenSSL topics
On Wed, Oct 16, 2013 at 12:53:52AM +0200, Wolfgang Breyha wrote:

> On 2013-10-15 17:55, Viktor Dukhovni wrote:
> > DO NOT follow guidelines for HTTPS security, the SMTP
> > threat model is substantially different.
>
> Do you have a/some links with information worth reading? I'm really
> interested to get some more details about that topic. Not to break my
> cipher list even more. I promise;-)


Some food for thought at:

    http://www.postfix.org/TLS_README.html#client_tls_limits


Things to also keep in mind:

    - SMTP TLS is *opportunistic*.  Transport security is hop by hop
      and addresses (unlike https URLs) do not specify security
      requirements.  Most deliveries are plaintext.


    - TLS with SMTP is typically unauthenticated and MITM attacks cannot
      be scalably avoided without DNSSEC/DANE.


    - SSLv3 and up are resistant to downgrade attacks, provided
      ciphers are ordered sensibly, you get the best common
      ciphersuite.  Thus, removing ciphers from the bottom of the
      preference list is counter-productive, it just risks not
      finding any common ciphers and using plaintext instead!


    - MTAs are less likely to be behind SSL crypto accelerators with
      possibly backdoored hardware/software.  And much less likely to
      be tuned for least CPU-cost ciphersuites.


    - MTAs with PFS-capable crypto libraries tend to prefer PFS
      ciphers out of the box without explicit tuning.  Optimizing
      for RC4 with RSA exchange, ... is not the norm.


    - SMTP is not prone to HTTP's cross-site and chosen plaintext attacks,
      no Javascript in pages served by HTTP servers directing clients to
      other SMTP servers...  BEAST, CRIME, ... are HTTPS attacks not generic
      TLS attacks.


-- 
    Viktor.