On Wed, Oct 16, 2013 at 12:53:52AM +0200, Wolfgang Breyha wrote:
> On 2013-10-15 17:55, Viktor Dukhovni wrote:
> > DO NOT follow guidelines for HTTPS security, the SMTP
> > threat model is substantially different.
>
> Do you have a/some links with information worth reading? I'm really
> interested to get some more details about that topic. Not to break my
> cipher list even more. I promise;-)
Some food for thought at:
http://www.postfix.org/TLS_README.html#client_tls_limits
Things to also keep in mind:
- SMTP TLS is *opportunistic*. Transport security is hop by hop
and addresses (unlike https URLs) do not specify security
requirements. Most deliveries are plaintext.
- TLS with SMTP is typically unauthenticated and MITM attacks cannot
be scalably avoided without DNSSEC/DANE.
- SSLv3 and up are resistant to downgrade attacks, provided
ciphers are ordered sensibly, you get the best common
ciphersuite. Thus, removing ciphers from the bottom of the
preference list is counter-productive, it just risks not
finding any common ciphers and using plaintext instead!
- MTAs are less likely to be behind SSL crypto accelerators with
possibly backdoored hardware/software. And much less likely to
be tuned for least CPU-cost ciphersuites.
- MTAs with PFS-capable crypto libraries tend to prefer PFS
ciphers out of the box without explicit tuning. Optimizing
for RC4 with RSA exchange, ... is not the norm.
- SMTP is not prone to HTTP's cross-site and chosen plaintext attacks,
no Javascript in pages served by HTTP servers directing clients to
other SMTP servers... BEAST, CRIME, ... are HTTPS attacks not generic
TLS attacks.
--
Viktor.
