On Thu, May 10, 2018 at 10:54 AM Daniel Margolis <[email protected]> wrote:
> Right. > > An attacker who can inject false DNS resolutions can, of course, redirect > either the fixed mta-sts host or insert a spoofed TXT response--but by > allowing the attacker to specify what hostname to use, it is more likely > that attacks which indirectly allow an attacker to obtain a valid cert for > a subdomain (as in the Tumblr or Blogspot case) can be leveraged (along > with DNS injection) to serve a spoofed policy for the whole domain. > ... but isn't this also the case with the current solution? Unless Tumblr and Blogspot and everyone else know to reserve mta-sts, we have a similar issue ? We've seen issues in the past where people forget to "reserve" hostmaster@ and hostmaster@, etc , and hilarity ensues. Setting a precedent of reserving DNS labels in this way scares me... W > On Thu, May 10, 2018 at 4:47 PM Viktor Dukhovni <[email protected]> > wrote: > >> >> >> > On May 10, 2018, at 10:41 AM, Warren Kumari <[email protected]> wrote: >> > >> > [ Edit: Could the format of the _mta-sts to be something like: >> > "_mta-sts.example.com. TXT "v=STSv2; id=20180114T070707; label=foo" ? >> > >> > This would mean that the policy can be fetched from foo.example.com - >> the >> > record *could* specify "label=mta-sts" if it wanted - this allows this >> to work >> > without "reserving" a DNS label. ] >> >> Absent DNSSEC (which is the sad reason that MTA-STS exists at all) the TXT >> record is untrusted data, and so should likely not be able to redirect the >> policy source to an arbitrary host in the domain. I think that rather >> weakens >> the security model... >> >> -- >> Viktor. >> >> _______________________________________________ >> Uta mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/uta >> > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
