Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 02 Feb 2024 18:47:15 -0500
From: Daniel Kahn Gillmor <dkg@...thhorseman.net>
To: nightmare.yeah27@...ecat.org, oss-security@...ts.openwall.com
Subject: Re: Re: Python standard library defaults to insecure
 TLS for mail protocols

Thanks Hanno for raising this.

Hanno's conclusion is the right one: the mail protocol implementations
in stdlib need to default to the standard default TLS behavior, which is
requires verifying the server identity.

On Thu 2024-02-01 09:45:36 -0800, nightmare.yeah27@...ecat.org wrote:
> On Thu, Feb 01, 2024 at 12:31:00PM +0100, Hanno Böck wrote:
>
>> Also relevant is RFC 8314, which contains guidelines for TLS
>> connections in email protocols [5]. ("MUAs MUST validate TLS server
>> certificates [...]") It targets client software, but I believe it is
>> reasonable to apply the same standards to client APIs.
>
> Relaying *MTAs* do not usually verify the certificate of the server
> they connect to. When they do, it creates problems because MTA
> certificates are very often self-signed. IIRC Yahoo relays in
> particular used to have this problem (or still do?)

This is a poor counterargument.  Note that Hanno's example was for
IMAP_SSL, which is not used by any MTA i'm aware of.

> It is true that MTAs are not usually written in Python :-) So maybe
> the proposal is OK. But there's a general point to note here, namely
> not all protocols are the same wrt TLS.

This note is fair: there are implementations that use TLS *without*
confirming the server identity.  However, those implementations should
have to explicitly opt *into* that looser behavior by default.

The baseline toolkit should not start in the unverified mode, for any
protocol that uses TLS.

As the lead author of the deliberately minimalist imap-dl from
mailscripts (https://git.spwhitton.name/mailscripts/tree/imap-dl) i
happen to be lucky enough to have avoided this because i have tried to
support a configuration which happened to want to have a dedicated set
of CA certificates.

The relevant code there is:

-----
    ca_certs = conf.get('retriever', 'ca_certs', fallback=None)
    […]
    ctx = ssl.create_default_context(cafile=ca_certs)
    […]
    server:str = conf.get('retriever', 'server')
    with imaplib.IMAP4_SSL(host=server,
                           port=int(conf.get('retriever', 'port', fallback=993)),
                           ssl_context=ctx) as imap:
-----

Basically, i avoided getting burned by really dumb luck.

Had i not implemented that particular use case (which is admittedly
distracting from imap-dl's minimalist goals), i would certainly have
expected that the default would be an ssl_default_context().

This needs to be fixed in the stdlib.

      --dkg

Download attachment "signature.asc" of type "application/pgp-signature" (228 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.