[dane] Improving DANE S/MIME Privacy

Discussion:

Alice Wonder

2017-04-11 17:16:04 UTC

Hello,

This is respect to DNSSEC validation for S/MIME

When generating a hash for use in DNS, the draft for DANE/SMIME
currently only uses the username portion of the address.

The obvious (and noted) privacy implications are that someone could
discover e-mail addresses by rainbow table DNS queries and/or zone walking.

I believe this can be mitigated.

S/MIME makes use of x.509 certificates, so I suggest using the serial
number from the x.509 certificate as a salt with the username before
taking the hash.

This could be done optionally rather than mandatory, though I certainly
would want to do it on mail systems I administer.

One of the things I worry about is spammers discovering valid e-mail
addresses through the DANE S/MIME and then using the public key of that
user to send encrypted malware that can not be filtered on the SMTP
servers because it is hidden.

If the serial number for the x.509 certificate is a salt for the hash,
then spammers can not determine the validity of an e-mail address from
DNS but those who already have the certificate can use DNS to DANE
validate the certificate.

Thank you for your time,

Michael A. Peters (aka Alice Wonder)

Paul Wouters

2017-04-11 19:15:00 UTC

Permalink

If the serial number for the x.509 certificate is a salt for the hash, then
spammers can not determine the validity of an e-mail address from DNS but
those who already have the certificate can use DNS to DANE validate the
certificate.

Except the whole point of this record is to publish that certificate, so
clearly the spammers have a copy of the serial number too :)

Paul

Alice Wonder

2017-04-11 22:25:15 UTC

Permalink

Post by Paul Wouters

Post by Alice Wonder
If the serial number for the x.509 certificate is a salt for the hash,
then spammers can not determine the validity of an e-mail address from
DNS but those who already have the certificate can use DNS to DANE
validate the certificate.

Except the whole point of this record is to publish that certificate, so
clearly the spammers have a copy of the serial number too :)
Paul

Okay I think my perspective on this is different.

Due to epilepsy, I do not drive and require more sleep than most people
and frequently must lie down. Not conductive to a good income, so I
never used S/MIME simply because I did not want to pay for certs for my
various e-mail addresses.

I tried OpenPGP but found the web of trust to be too complex for most
people I communicate with and found the procedure for revoking a private
key that may have been compromised too awkward.

I saw S/MIME with DANE as a way to use self-signed x.509 certs with
confidence (more confidence than I personally have in the CA system
where fraudulent certs are not uncommon, and where software like content
filters and superfish often insert a root authority into user's trusted
list) and saw S/MIME DANE as a way to validate those self-signed
certificates, not as a way to distribute them.

I am sorry, I misunderstood the purpose.

That being said, the suggestion of using 2 1 1 or even 2 0 0 entries may
give the privacy I seek.

If a * wildcard works with DNSSEC (I've never tried personally tried
them) then the e-mail domain could be the certificate authority for
x.509 certificates on the domain and sign certificates for the users
that could then be DANE validated without DNS giving positive
confirmation to the existence of an address or revealing the public key
needed for a spammer to bypass the content filtering when sending
malware to random users.

That is probably a better solution than using a serial number as a hash,
and probably is easier to manage too as it only requires one DNS entry
for every user on the system.

Paul Wouters

2017-04-12 16:19:16 UTC

Permalink

That being said, the suggestion of using 2 1 1 or even 2 0 0 entries may give
the privacy I seek.

It will, but you will then have to come up with a lookup system to find
the SMIME cert for a given user. If I want to email you without having
prior contact, how do I find your SMIME cert? Sure, if you email me you
can attach it, but then the problem moves from me to you on the first
email message.

And when you create some other lookup mechanism to find my key, you can
use that lookup mechanism to harvest email addresses.

In the end, email addresses are a point of contact and hard to keep
secret.

Paul

John Levine

2017-04-11 20:01:51 UTC

Permalink

Post by Alice Wonder
The obvious (and noted) privacy implications are that someone could
discover e-mail addresses by rainbow table DNS queries and/or zone walking.

There are a lot easier ways to find e-mail addresses, and the problem
of probing servers to see if addresses are valid has been around for
20 years. To the extent that we worry about it at all, the mail
community has a lot of countermeasures that we needn't rehash here.

Post by Alice Wonder
S/MIME makes use of x.509 certificates, so I suggest using the serial
number from the x.509 certificate as a salt with the username before
taking the hash.

Uh, what? If you already have the cert, why do you need to do the
lookup? And if you don't have the cert, where do you get the salt?

Post by Alice Wonder
One of the things I worry about is spammers discovering valid e-mail
addresses through the DANE S/MIME and then using the public key of that
user to send encrypted malware that can not be filtered on the SMTP
servers because it is hidden.

This is not a new or particularly interesting concern. Many people
have noted that with encrypted mail, all of the spam body checks have
to happen after it's decrypted. Malware signatures are just one
example of that.

R's,
John