Re: [exim] for europeans only: EU GDPR and mitigation of CV…

Top Page

Reply to this message
Author: Cyborg
Date:  
To: exim-users
Subject: Re: [exim] for europeans only: EU GDPR and mitigation of CVE-2019-15846
Am 06.09.19 um 16:05 schrieb Sebastian Nielsen:
> No thats not entirely true that you need to disable cleartext transmission.
> You must however according to GDPR support encrypted transmission if you operate a business where personal details more sensitive than a name + email adress MAY arrive, but you do not need to reject cleartext transmission unless theres a risk of receiving information that is prohibited over email alltogether.

Disabling is a consequence of not knowing whats been sent to you in the
future. Common sense, if you ask me ;)

In a case study we got 76% TLS connections last year with servers, so
hanging on clear text ports, does not make sense anymore in the near
future anyway. I bet, that the 24% none encrypted connections where from
IOT, Spam or both ;)
>
> You should however support TLS (you do not need to limit it to TLS 1.2+ however, TLS 1.0/TLS 1.1 is perfectly fine if you need to support legacy servers), AND also negotiate the strongest ciphers available.


I'm sorry, thats not true. Article 32 states "State of the Art" which
is, since 2008, 1.2 and today 1.3. As TLS 1.0 and 1.1 are broken
independend from the cipher in use, they are not to be used at all.

For germany i.e., the BSI TR-02102 defines "State of the Art" (it's the
lower end of whats possible in my eyes), which (again: for germans)
enforces the use of TLS 1.2+PFS .

> Its the same as you don't need to disable the HTTP port on web servers, but you should provide the most secure means available during negotiation by redirecting the user.
> I would also recommend running SMTP-STS if that available, but its not a strict requirement.


If your contact form connects to HTTP instead of HTTPS, you have a
problem. I initiated a DPR violation against a bigger corp in germany 
in such a case last year, and the local DPR agency agreed with me, and
"fixed" the issue together with the corp in question. We can assume it's
safe to say: The rule is "HTTPS only" for contact forms now. The rest of
the webpage can stay reachable via HTTP as long as you want.

> It depends entirely on which business you operate. GDPR says that you must use the method of securing personal data in transit that is "resonable". "resonable" is judged both of what securing methods that are available, but also on the type of personal details you are intended to transmit, and the cost of implementing the securing methods.

Correct, but in this case ( TLS on SMTP ) the cost is next to 0.00, it's
easy to enable and the "client" could sent you (worst case) his personal
medic files. This combination overrules any other dependencies on this
matter. It's whats possible, not expectional. I agree, next to noone
will send anyone else his personal medic files via email, but if it
happend, and you could have avoided it easily(which you can in this
case),  the feds will come to you, not the client.

> Many "GDPR experts" think you now as a sole proprietor need to outsource your email server and "no longer allowed to run a email server from the wardrobe" because of GDPR requiring physical security, but thats not true, its depends on amount of personal details you process, and the sensitiveness of those.

It's the amount of work you have to put into archiving a certain level
of "secureness".

Activating TLS is resonable to protect email content, putting a
mailserver into a seperate high security science center without being a
health agency, is not.  And thats what Article 32 tells us.

Example: carrying a piece of papers with names and addresses unprotected
in the open, is a violation. Putting an envelope around it, is the
costeffective solution for it. On the other hand, putting the same piece
of paper into a 500kg safe and pulling it behind you, is definatly the
wrong answere to it ;)

As a rule: if the affort is low, the cost is reasonable and  the result
is ok, article 32 expects you to make it happen.

Therefor: TLS 1.2+ is mandatory in the eu, if you need to protect pd at
all.

best regards,
Marius