Monday, February 06, 2012

STARTTLS & the Police

[Kids say the darndest things...]
The FBI got "hacked" by Anonymous (NYTimes), eavesdropping an international telephone conference regarding criminal activities by Anonymous. The hack wasn't all that sophisticated (...), since they probably got access to the meeting invitation sent by e-mail (pastebin), which contained all the necessary info. Just a few tips here for those interested:


1. Meeting invitations with all details included
Never a good idea, just like sending username & password in the same unencrypted message in any type of  channel would usually be considered a bad idea. By e-mail or by using Outlook calendar - same thing. The sheer amount of people who can actually access such meeting details within any corporate Microsoft Exchange environment is overwhelming. Chances of a bad apple within the organisations, their external mail providers or others: 100% (perhaps that's just me being paranoid, but...)

2. Telephone conferencing solutions
A minimum requirement would be having a solution where an administrator can see all connected numbers, individually mute, kick and block numbers. Additionally a minimum configuration should include disabling the ability for any attendees to listen in or talk to each other before the administrator starts the conference call, after verifying all attending phone numbers and then locking it for additional participants. Yes, I'm planning a blog post on this topic separately. It seems not all providers are able to do even something as basic as this in their solutions....

3. STARTTLS (RFC3207) support
Go read the RFC, or the easier wikipedia article on STARTTLSI'm even in the reference list there, as well as for the "Email privacy" article. It's pretty easy to implement, and it will prevent at least the most basic forms of network eavesdropping against plaintext transmissions, like regular SMTP. Based on the posting to pastebin, I looked up the MX records of the mail recipients to check for STARTTLS support at their mail gateways. Compared to "The state of SSL on the Internet" by Ivan Ristic, the state of STARTTLS seems to be the dark side of SSL on the Internet.

Here are the results from the 60 seconds check for STARTTLS support at FBI, Met Police in the UK, EUROPOL and others, as listed in the pastebin data. I've highlighted in RED and BLUE some of the easier things.

-----


Testing SSL server mail.ic.fbi.gov on port 25

  Supported Server Cipher(s):
    ERROR: The SMTP service on mail.ic.fbi.gov port 25 did not appear to support STARTTLS.

Testing SSL server mail3.met.police.uk on port 25

  Supported Server Cipher(s):
    ERROR: The SMTP service on mail3.met.police.uk port 25 did not appear to support STARTTLS.

Testing SSL server mail4.met.police.uk on port 25

  Supported Server Cipher(s):
    ERROR: The SMTP service on mail4.met.police.uk port 25 did not appear to support STARTTLS.

Testing SSL server mxbackup.uk.cw.net on port 25

  Supported Server Cipher(s):
    ERROR: The SMTP service on mxbackup.uk.cw.net port 25 did not appear to support STARTTLS.

Testing SSL server pnn-gw.pnn.police.uk on port 25

  Supported Server Cipher(s):
    ERROR: The SMTP service on pnn-gw.pnn.police.uk port 25 did not appear to support STARTTLS.

Testing SSL server mail.garda.ie on port 25

  Supported Server Cipher(s):
    ERROR: The SMTP service on mail.garda.ie port 25 did not appear to support STARTTLS.

Testing SSL server pochta3.nhtcu.nl on port 25

  Supported Server Cipher(s):
    Accepted  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Accepted  TLSv1  256 bits  ADH-AES256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Accepted  TLSv1  168 bits  ADH-DES-CBC3-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  ADH-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  128 bits  ADH-RC4-MD5
    Accepted  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5
    Accepted  TLSv1  56 bits   EDH-RSA-DES-CBC-SHA
    Accepted  TLSv1  56 bits   ADH-DES-CBC-SHA
    Accepted  TLSv1  56 bits   DES-CBC-SHA
    Accepted  TLSv1  40 bits   EXP-EDH-RSA-DES-CBC-SHA
    Accepted  TLSv1  40 bits   EXP-ADH-DES-CBC-SHA
    Accepted  TLSv1  40 bits   EXP-DES-CBC-SHA
    Accepted  TLSv1  40 bits   EXP-RC2-CBC-MD5
    Accepted  TLSv1  40 bits   EXP-ADH-RC4-MD5
    Accepted  TLSv1  40 bits   EXP-RC4-MD5

  Prefered Server Cipher(s):
    TLSv1  256 bits  DHE-RSA-AES256-SHA

  SSL Certificate:
    Version: 0
    Serial Number: -12920724846010265987
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: /C=NL/ST=Utrecht/O=NHTCU/CN=pochta2
    Not valid before: Jan 13 10:45:36 2010 GMT
    Not valid after: Jan 11 10:45:36 2020 GMT
    Subject: /C=NL/ST=Utrecht/O=NHTCU/CN=pochta2
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
      Public-Key: (1024 bit)
      Modulus:
          00:dd:0a:1f:ee:21:ab:1e:e8:d8:7a:87:9a:38:3c:
          06:20:f9:b1:8a:0f:09:93:40:f3:c4:4c:e0:7b:67:
          c6:d8:a7:e6:03:71:45:a7:24:bd:ad:2f:50:c3:7d:
          05:c2:2f:24:f5:bf:36:dc:51:5b:b4:e9:c1:76:bd:
          4e:34:b4:ec:86:e4:a7:80:c8:6a:14:2b:ce:73:a3:
          32:b0:f9:11:3b:8d:4a:96:ff:19:c1:32:40:4d:37:
          1b:ef:f7:5a:51:0f:ef:69:e7:3d:46:d8:15:41:5f:
          77:8a:34:75:77:65:3e:b2:92:e8:3b:b2:1c:14:02:
          d5:fb:fe:96:db:9b:55:0c:d5
      Exponent: 65537 (0x10001)
  Verify Certificate:
    self signed certificate

Testing SSL server pochta4.nhtcu.nl on port 25

  Supported Server Cipher(s):
    Accepted  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Accepted  TLSv1  256 bits  ADH-AES256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Accepted  TLSv1  168 bits  ADH-DES-CBC3-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  ADH-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  128 bits  ADH-RC4-MD5
    Accepted  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5
    Accepted  TLSv1  56 bits   EDH-RSA-DES-CBC-SHA
    Accepted  TLSv1  56 bits   ADH-DES-CBC-SHA
    Accepted  TLSv1  56 bits   DES-CBC-SHA
    Accepted  TLSv1  40 bits   EXP-EDH-RSA-DES-CBC-SHA
    Accepted  TLSv1  40 bits   EXP-ADH-DES-CBC-SHA
    Accepted  TLSv1  40 bits   EXP-DES-CBC-SHA
    Accepted  TLSv1  40 bits   EXP-RC2-CBC-MD5
    Accepted  TLSv1  40 bits   EXP-ADH-RC4-MD5
    Accepted  TLSv1  40 bits   EXP-RC4-MD5

  Prefered Server Cipher(s):
    TLSv1  256 bits  DHE-RSA-AES256-SHA

  SSL Certificate:
    Version: 0
    Serial Number: -18351820590030763555
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: /C=NL/ST=Utrecht/O=NHTCU/CN=pochta1
    Not valid before: Jan 13 10:33:04 2010 GMT
    Not valid after: Jan 11 10:33:04 2020 GMT
    Subject: /C=NL/ST=Utrecht/O=NHTCU/CN=pochta1
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
      Public-Key: (1024 bit)
      Modulus:
          00:a9:d8:17:e2:96:5f:90:3c:e6:d1:e8:21:5b:2d:
          cb:11:e5:0d:bd:c0:c2:bc:99:85:5f:e8:95:be:33:
          f1:83:eb:c7:17:03:39:a7:c1:ad:13:e1:37:90:5d:
          d8:a8:4c:8c:28:8e:86:5e:93:1f:87:06:98:f6:7b:
          2f:9b:51:15:d0:34:66:ad:d7:85:c1:01:56:da:65:
          a2:fe:33:c5:b0:b8:4f:6c:32:8f:e4:e1:0a:b9:ea:
          37:f8:d9:a0:05:c9:43:3d:eb:b0:5e:48:3f:3f:19:
          c6:59:d2:e8:4e:ea:a0:39:db:81:ab:75:93:ae:e6:
          9b:9d:56:b4:66:8a:8b:e1:79
      Exponent: 65537 (0x10001)
  Verify Certificate:
    self signed certificate

Testing SSL server tigre.interieur.gouv.fr on port 25

  Supported Server Cipher(s):
    Accepted  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Accepted  TLSv1  256 bits  ADH-AES256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Accepted  TLSv1  168 bits  ADH-DES-CBC3-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  ADH-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  128 bits  ADH-RC4-MD5
    Accepted  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5
    Accepted  TLSv1  56 bits   EDH-RSA-DES-CBC-SHA
    Accepted  TLSv1  56 bits   ADH-DES-CBC-SHA
    Accepted  TLSv1  56 bits   DES-CBC-SHA
    Accepted  TLSv1  40 bits   EXP-EDH-RSA-DES-CBC-SHA
    Accepted  TLSv1  40 bits   EXP-ADH-DES-CBC-SHA
    Accepted  TLSv1  40 bits   EXP-DES-CBC-SHA
    Accepted  TLSv1  40 bits   EXP-RC2-CBC-MD5
    Accepted  TLSv1  40 bits   EXP-ADH-RC4-MD5
    Accepted  TLSv1  40 bits   EXP-RC4-MD5

  Prefered Server Cipher(s):
    TLSv1  256 bits  DHE-RSA-AES256-SHA

  SSL Certificate:
    Version: 0
    Serial Number: -9822045462768659921
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: /CN=srvnat.messagerie.si.mi
    Not valid before: Jan  6 15:01:21 2010 GMT
    Not valid after: Jan  4 15:01:21 2020 GMT
    Subject: /CN=srvnat.messagerie.si.mi
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
      Public-Key: (1024 bit)
      Modulus:
          00:b1:30:c6:1e:c9:09:ba:62:b7:33:96:f9:77:1d:
          08:03:59:1d:8d:33:56:1e:98:6b:73:a0:b3:b6:b8:
          5f:26:6a:b6:81:ee:e6:52:cc:42:c9:b5:dc:14:a9:
          eb:3d:f2:fd:c6:b5:46:c5:c9:67:80:de:37:81:1c:
          d9:dd:89:3e:5c:30:40:c4:e2:17:ea:0d:b1:ca:bc:
          72:aa:eb:88:05:f2:62:f3:ac:0e:6d:a8:8c:8d:6b:
          d5:c3:2a:11:6a:96:ee:40:ee:51:af:20:f5:55:c9:
          0c:01:d5:5c:1a:ab:b0:02:93:18:80:58:17:1b:b9:
          46:23:91:86:e0:4b:cc:9e:19
      Exponent: 65537 (0x10001)
  Verify Certificate:
    self signed certificate

Testing SSL server smtp.ts-businessmail.de on port 25

  Supported Server Cipher(s):
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1  128 bits  AES128-SHA

  Prefered Server Cipher(s):
    TLSv1  256 bits  AES256-SHA

  SSL Certificate:
    Version: 2
    Serial Number: 2873958537406232085
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: /C=DE/O=T-Systems International GmbH/OU=Trust Center Services/CN=TeleSec ServerPass CA 1
    Not valid before: Oct  4 09:38:53 2011 GMT
    Not valid after: Oct  9 23:59:59 2014 GMT
    Subject: /C=DE/O=T-Systems International GmbH/OU=Managed AntiSpam Service/ST=SH/L=Kiel/CN=secure05.t-systems.com
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
      Public-Key: (2048 bit)
      Modulus:
          00:ea:78:d6:88:85:1d:13:c1:0a:dd:46:05:f7:20:
          a5:aa:e3:09:5a:88:3f:5d:5f:2c:c4:a6:88:51:53:
          97:7f:a8:49:59:5b:3e:e4:69:de:88:03:73:2b:8a:
          b3:3b:47:22:2d:e5:55:85:c3:81:2e:32:72:db:cc:
          28:85:72:e1:63:e2:f4:b5:30:34:f9:8c:3e:22:5c:
          00:39:d1:de:ce:d6:dd:5c:bd:09:b6:23:a7:8d:4f:
          a4:0c:46:fc:5a:83:8f:9c:87:7e:44:36:9c:48:3d:
          7e:3e:f8:5c:f5:39:55:5a:de:8e:af:39:aa:8f:b8:
          26:9d:38:13:48:fd:96:dd:45:c7:70:4d:10:90:03:
          30:c1:3d:e8:d2:1d:0a:2d:09:5a:2a:a9:1e:15:f3:
          45:23:5a:5b:33:5d:8d:f8:65:d0:20:40:98:dc:90:
          6b:73:b0:7c:5c:55:c7:24:4b:45:9f:ec:66:40:cd:
          80:37:33:72:bc:37:30:38:0d:05:29:87:d6:d2:48:
          ee:b5:b6:8b:7e:e0:b6:cb:46:29:e2:81:40:15:f2:
          71:55:bd:ad:92:23:7f:ea:29:af:f3:e5:2c:9c:09:
          27:cc:51:94:d6:7e:bd:43:34:6b:1c:c9:e6:8d:e9:
          cd:f2:ca:be:94:a6:1f:f7:62:c4:ae:95:b6:60:3e:
          80:07
      Exponent: 65537 (0x10001)
    X509v3 Extensions:
      X509v3 Authority Key Identifier:
        keyid:33:DC:9E:96:EC:D8:E8:35:1F:6D:90:1B:0B:38:A4:AF:74:1B:C6:58

      X509v3 Key Usage: critical
        Digital Signature, Key Encipherment
      X509v3 Extended Key Usage:
        TLS Web Client Authentication, TLS Web Server Authentication
      X509v3 Subject Key Identifier:
        F9:62:F5:21:81:74:1F:43:EC:3B:00:A8:0B:32:CD:93:F6:D9:A1:F7
      X509v3 Certificate Policies:
        Policy: 1.3.6.1.4.1.7879.13.2
          CPS: http://www.telesec.de/serverpass/cps.html

      X509v3 CRL Distribution Points:

        Full Name:
          URI:http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl

        Full Name:
          URI:ldap://ldap.serverpass.telesec.de/cn=TeleSec%20ServerPass%20CA%201,ou=Trust%20Center%20Services,o=T-Systems%20International%20GmbH,c=de?certificateRevocationlist?base?certificateRevocationlist=*

      Authority Information Access:
        OCSP - URI:http://ocsp.serverpass.telesec.de/ocspr
        CA Issuers - URI:http://crl.serverpass.telesec.de/crt/TeleSec_ServerPass_CA_1.cer
        CA Issuers - URI:ldap://ldap.serverpass.telesec.de/cn=TeleSec%20ServerPass%20CA%201,ou=Trust%20Center%20Services,o=T-Systems%20International%20GmbH,c=de?cACertificate

      X509v3 Basic Constraints: critical
        CA:FALSE
      X509v3 Subject Alternative Name:
        DNS:secure05.t-systems.com
  Verify Certificate:
    self signed certificate in certificate chain

Testing SSL server mail.telia.com on port 25

  Supported Server Cipher(s):
    ERROR: The SMTP service on mail.telia.com port 25 did not appear to support STARTTLS.

Testing SSL server m2.europol.europa.eu on port 25

  Supported Server Cipher(s):
    ERROR: The SMTP service on m2.europol.europa.eu port 25 did not appear to support STARTTLS.

Testing SSL server m1.europol.europa.eu on port 25

  Supported Server Cipher(s):
    ERROR: The SMTP service on m1.europol.europa.eu port 25 did not appear to support STARTTLS.

6 comments:

  1. Implementing support for STARTTLS shouldn't be very difficult or costly for most organizations. Very disappointed Microsoft haven't implemented it.

    Just a short question, would you consider using self-signed certificates as "good enough"?

    ReplyDelete
  2. Nice post, thanks. You color coded 40 bits ciphers as RED, as if to say this is bad. While disabling low grade ciphers of TLS connections that do not have a plain text fall-back is a best practice, it makes no sense for SMTP. When you disable low grade ciphers, and a client would only offer low grade ciphers in the TLS handshake, the handshake will fail. The SMTP client will then offer the data unencrypted. So by not accepting low grade ciphers you have made the connection much more insecure. I've rather have a 40 bit TLS connection than no TLS at all.

    Not all best practices you are familiar with from HTTPS apply to SMTPS.

    ReplyDelete
  3. Self-signed certificates will in most cases give you encryption. However I have come across one provider (back in 2009 I think) that required TTP certificates as well as certain algorithms and keylengths, AND that the certificate came from a narrow list of certificate providers (approx 30 from more than a hundred at that time, if I remember correctly). To top it off: if you wanted to do STARTTLS both ways with them, they required a signature on a written agreement. "If we're doing this, we'll do it properly".

    Thx RichieB! Yes, I color coded them RED. Perhaps I should have done orange or something, and partially I do agree with you. I'm just a little worried that allowing "everything" will mean default configurations, and I'd rather see things done "properly" than just implementing default. Default is bad.

    ReplyDelete
  4. Nothing wrong with self-signed certificates, at least when a proper CA environment is in place. Imho the it is more reliable then putting user trust in a commercial CA which have a reputation of being compromised due to very weak IT and auditing.

    ReplyDelete
  5. Per: I can argue that for SMTP default TLS (even with self-signed certificates) is better than no TLS at all. At least you'll get some encryption instead of none. But I agree: when adding any features, a deliberate choice of configuration is better than just using defaults because they are the default.

    ReplyDelete
  6. Hehe. Calling a truce here RichieB! I guess we're on the same page on this, we want STARTTLS, and we want it done properly.

    ReplyDelete

All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.