Hi All, I was going to send a variant of this message to the tails-dev mailing list, but I found a plan[0] for removing mutt in Tails 1.4, so this list seems more appropriate now.
For most users, mutt is irrelevant, but Claws Mail looks like it may be
affected by this, too. I haven't confirmed it or looked at how to fix
it yet, though. This mail does not talk about Claws Mail anymore.
The short version of this is that Gmail's SMTP server (and possibly
others) use a limited ciphersuite set[1] which does not overlap well
with the normal ciphersuites used in GnuTLS 2.12.x [3], resulting in
negotiating TLS_RSA_ARCFOUR_128_SHA1. The fact that this negotiates a
ciphersuite using RC4 is worrying. The two easy-ish solutions within
Tails are either install/upgrade mutt to the version in unstable
(1.5.23-3) or configure an SMTP client, like msmtp, where you can
control which ciphers it can use (and disable all RC4 ciphersuites).
The less short version is if you are in this situation, you might want
to consider changing your configuration. GnuTLS 2.12.x has received some
very important backported security features, but it doesn't support
all key exchange methods specified by SSLv3 and TLSv1, this is the
problem - mainly it doesn't support ECDHE. Looking at the ciphersuites
supported by smtp.gmail.com[1], the first ciphersuite which overlaps
with Mutt's list[3] is RC4-SHA.
The first way to mitigate this is by upgrading Mutt to the version in
Debian Unstable. Tails makes this very easy. Simply run:
$ sudo apt-get install -t unstable mutt
This will upgrade mutt, but more importantly, it will install a newer
version of GnuTLS which supports the better/higher-priority
ciphersuites[4]. Specifically, after the upgrade Mutt/GnuTLS and
smtp.gmail.com now negotiate TLS_ECDHE_RSA_AES_128_GCM_SHA256.
Of course, with these situations, no solution is perfect. Depending on
your threat model, you may care that upgrading these packages could
create a fingerprint which is unique from other Tails users. You must
choose which is more important.
The second method involves using a local SMTP client. Currently Tails
comes with msmtp, so it will be used as an example. Overall, it is
likely this results in weaker security than upgrading the packages, but
it's better than using the default.
Mutt supports SMTP, but the reason for adding an smtp client in this
case is for finer control of TLS parameters. Mutt (v1.5.21) allows for
configuring whether or not TLS is used, and enabling/disabling SSLv3
and TLSv1, but not much more. In this situation we want RC4 deleted as
a supported cipher - Mutt doesn't allow this.
Configuring Mutt so it uses msmtp is relatively simple. Create a msmtp
configuration file at ~/.msmtprc and add in the file something like:
# Account
account default
host smtp.gmail.com
port 587
auth on
user your-username-here
from your-from-address-here
password your-password-here
# Enable TLS
tls on
tls_certcheck on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
tls_starttls on
tls_force_sslv3 off
tls_priorities NORMAL:-ARCFOUR-128:-ARCFOUR-40
and replace "your-username-here" with you username (for gmail this is
simply your full email address), replace "your-from-address-here" with
your email address, and replace "your-password-here" with your password.
(Storing your password in this file is not really recommended, there are
better ways to do this. You can find other tutorials online[6], for an
example).
Next, edit your .muttrc file and add something like:
set sendmail="/usr/bin/msmtp"
set use_from=yes
set realname="Your Name"
set [email protected]
set envelope_from=yes
setting realname= as the name you want to appear in your emails, and
set from= as your email address. Please see man msmtp(1) for additional
configurations.
If your muttrc is already configured for smtp_url= and smtp_pass= you
should either delete those or comment them.
As mentioned above, altering this configuration could become a
fingerprint, but in most cases it is likely better to be unique than
use RC4.
For those wondering about the risks of using AES-CBC considering the
known attacks against it, the threat of RC4 being broken is far more
serious and worrying. This is especially true considering the
requirements for successfully executing the known padding-Oracle attacks
against AES-CBC.
Also, for those wondering why this only matters for SMTP with Mutt and
not IMAP, it's because imap.gmail.com uses different ciphersuites[7]
than smtp.gmail.com.
I hope this makes sense. I'm happy to clarify anything which was written
poorly.
All the best,
Matt
[0] https://labs.riseup.net/code/issues/8727
[1] I used cipherscan for this
https://github.com/jvehent/cipherscan.git
~/cipherscan$ ./cipherscan -o /usr/bin/openssl -starttls smtp smtp.gmail.com:587
...........
Target: smtp.gmail.com:587
prio ciphersuite protocols pfs_keysize
1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2
2 ECDHE-RSA-RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
3 ECDHE-RSA-AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
4 ECDHE-RSA-AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
5 AES128-GCM-SHA256 TLSv1.2
6 RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
7 RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2
8 AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
9 DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
10 AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature
TLS ticket lifetime hint: 100800
OCSP stapling: not supported
Server side cipher ordering
[3] GnuTLS ciphersuites advertised by libgnutls26=2.12.17-0
Retrieved from a pcap:
TLS_DHE_RSA_AES_128_CBC_SHA1 (0033)
TLS_DHE_RSA_AES_128_CBC_SHA256 (0067)
TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 (0045)
TLS_DHE_RSA_AES_256_CBC_SHA1 (0039)
TLS_DHE_RSA_AES_256_CBC_SHA256 (006b)
TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 (0088)
TLS_DHE_RSA_3DES_EDE_CBC_SHA1 (0016)
TLS_DHE_DSS_AES_128_CBC_SHA1 (0032)
TLS_DHE_DSS_AES_128_CBC_SHA256 (0040)
TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1 (0044)
TLS_DHE_DSS_AES_256_CBC_SHA1 (0038)
TLS_DHE_DSS_AES_256_CBC_SHA256 (006a)
TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1 (0087)
TLS_DHE_DSS_3DES_EDE_CBC_SHA1 (0013)
TLS_DHE_DSS_ARCFOUR_128_SHA1 (0066)
TLS_RSA_AES_128_CBC_SHA1 (002f)
TLS_RSA_AES_128_CBC_SHA256 (003c)
TLS_RSA_CAMELLIA_128_CBC_SHA1 (0041)
TLS_RSA_AES_256_CBC_SHA1 (0035)
TLS_RSA_AES_256_CBC_SHA256 (003d)
TLS_RSA_CAMELLIA_256_CBC_SHA1 (0084)
TLS_RSA_3DES_EDE_CBC_SHA1 (000a)
TLS_RSA_ARCFOUR_128_SHA1 (0005)
TLS_RSA_ARCFOUR_128_MD5 (0004)
[4] GnuTLS ciphersuites advertised by libgnutls-deb0-28=3.3.0
Retrieved from a pcap:
TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 (c02b)
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (c02c)
TLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (c086)
TLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (c087)
TLS_ECDHE_ECDSA_AES_128_CBC_SHA1 (c009)
TLS_ECDHE_ECDSA_AES_128_CBC_SHA256 (c023)
TLS_ECDHE_ECDSA_AES_256_CBC_SHA1 (c00a)
TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 (c024)
TLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (c072)
TLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 (c073)
TLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (c008)
TLS_ECDHE_ECDSA_ARCFOUR_128_SHA1 (c007)
TLS_ECDHE_RSA_AES_128_GCM_SHA256 (c02f)
TLS_ECDHE_RSA_AES_256_GCM_SHA384 (c030)
TLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (c08a)
TLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (c08b)
TLS_ECDHE_RSA_AES_128_CBC_SHA1 (c013)
TLS_ECDHE_RSA_AES_128_CBC_SHA256 (c027)
TLS_ECDHE_RSA_AES_256_CBC_SHA1 (c014)
TLS_ECDHE_RSA_AES_256_CBC_SHA384 (c028)
TLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (c076)
TLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 (c077)
TLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 (c012)
TLS_ECDHE_RSA_ARCFOUR_128_SHA1 (c011)
TLS_RSA_AES_128_GCM_SHA256 (009c)
TLS_RSA_AES_256_GCM_SHA384 (009d)
TLS_RSA_CAMELLIA_128_GCM_SHA256 (c07a)
TLS_RSA_CAMELLIA_256_GCM_SHA384 (c07b)
TLS_RSA_AES_128_CBC_SHA1 (002f)
TLS_RSA_AES_128_CBC_SHA256 (003c)
TLS_RSA_AES_256_CBC_SHA1 (0035)
TLS_RSA_AES_256_CBC_SHA256 (003d)
TLS_RSA_CAMELLIA_128_CBC_SHA1 (0041)
TLS_RSA_CAMELLIA_128_CBC_SHA256 (00ba)
TLS_RSA_CAMELLIA_256_CBC_SHA1 (0084)
TLS_RSA_CAMELLIA_256_CBC_SHA256 (00c0)
TLS_RSA_3DES_EDE_CBC_SHA1 (000a)
TLS_RSA_ARCFOUR_128_SHA1 (0005)
TLS_RSA_ARCFOUR_128_MD5 (0004)
TLS_DHE_RSA_AES_128_GCM_SHA256 (009e)
TLS_DHE_RSA_AES_256_GCM_SHA384 (009f)
TLS_DHE_RSA_CAMELLIA_128_GCM_SHA256 (c07c)
TLS_DHE_RSA_CAMELLIA_256_GCM_SHA384 (c07d)
TLS_DHE_RSA_AES_128_CBC_SHA1 (0033)
TLS_DHE_RSA_AES_128_CBC_SHA256 (0067)
TLS_DHE_RSA_AES_256_CBC_SHA1 (0039)
TLS_DHE_RSA_AES_256_CBC_SHA256 (006b)
TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 (0045)
TLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 (00be)
TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 (0088)
TLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 (00c4)
TLS_DHE_RSA_3DES_EDE_CBC_SHA1 (0016)
TLS_DHE_DSS_AES_128_GCM_SHA256 (00a2)
TLS_DHE_DSS_AES_256_GCM_SHA384 (00a3)
TLS_DHE_DSS_CAMELLIA_128_GCM_SHA256 (c080)
TLS_DHE_DSS_CAMELLIA_256_GCM_SHA384 (c081)
TLS_DHE_DSS_AES_128_CBC_SHA1 (0032)
TLS_DHE_DSS_AES_128_CBC_SHA256 (0040)
TLS_DHE_DSS_AES_256_CBC_SHA1 (0038)
TLS_DHE_DSS_AES_256_CBC_SHA256 (006a)
TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1 (0044)
TLS_DHE_DSS_CAMELLIA_128_CBC_SHA256 (00bd)
TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1 (0087)
TLS_DHE_DSS_CAMELLIA_256_CBC_SHA256 (00c3)
TLS_DHE_DSS_3DES_EDE_CBC_SHA1 (0013)
TLS_DHE_DSS_ARCFOUR_128_SHA1 (0066)
[5] http://gnutls.org/manual/html_node/Supported-ciphersuites.html
[6] https://www.proteansec.com/linux/the-ultimate-guide-to-mutt/
[7] I used cipherscan for this
https://github.com/jvehent/cipherscan.git
~/cipherscan$ ./cipherscan -o /usr/bin/openssl imap.gmail.com:993
..................
Target: imap.gmail.com:993
prio ciphersuite protocols pubkey_size
signature_algorithm trusted ticket_hint ocsp_staple pfs_keysize
1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 2048
sha1WithRSAEncryption True 100800 False
2 ECDHE-RSA-AES128-SHA TLSv1.1,TLSv1.2 2048
sha1WithRSAEncryption True 100800 False
3 ECDHE-RSA-RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048
sha256WithRSAEncryption True 100800 False
4 AES128-GCM-SHA256 TLSv1.2 2048
sha1WithRSAEncryption True 100800 False
5 AES128-SHA256 TLSv1.2 2048
sha1WithRSAEncryption True 100800 False
6 AES128-SHA TLSv1.1,TLSv1.2 2048
sha1WithRSAEncryption True 100800 False
7 RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048
sha1WithRSAEncryption True 100800 False
8 RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048
sha1WithRSAEncryption True 100800 False
9 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 2048
sha1WithRSAEncryption True 100800 False
10 ECDHE-RSA-AES256-SHA384 TLSv1.2 2048
sha1WithRSAEncryption True 100800 False
11 ECDHE-RSA-AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048
sha1WithRSAEncryption True 100800 False
12 AES256-GCM-SHA384 TLSv1.2 2048
sha1WithRSAEncryption True 100800 False
13 AES256-SHA256 TLSv1.2 2048
sha1WithRSAEncryption True 100800 False
14 AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048
sha1WithRSAEncryption True 100800 False
15 ECDHE-RSA-AES128-SHA256 TLSv1.2 2048
sha1WithRSAEncryption True 100800 False
16 ECDHE-RSA-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048
sha1WithRSAEncryption True 100800 False
17 DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 2048
sha1WithRSAEncryption True 100800 False
OCSP stapling: not supported
Server side cipher ordering
signature.asc
Description: Digital signature
_______________________________________________ tails-support mailing list [email protected] https://mailman.boum.org/listinfo/tails-support To unsubscribe from this list, send an empty email to [email protected].
