From: Ned Freed [mailto:ned(_dot_)freed(_at_)mrochek(_dot_)com]
The attacker cannot downgrade the server security,
particularly if the
server does not support unencrypted IMAP or POP.
I don't think the lack of support for unencrypted IMAP or POP
is quite sufficient. What's to stop an attacker acting as a
MITM (by publishing a bogus SRV record or whatever) getting
an unencypted connection and turning around and connecting to
the server using encryption?
Hopefully one would deploy DNSSEC.
Indeed, although I have to say that in my experience DNSSEC deployments are
rare. I wish it were otherwise but that's been my observation. As you have
pointed out elsewhere, the necessary impetus to deploy doesn't seem to exist.
Either a client key check on the server or the client
requiring encyption and checking the server cert will address
this, I believe.
If one has DNSSEC one could also use a DNS distributed key to secure the
server key.
Sure, that would be one way to do it, although AFAIK there aren't
specifications for how to do this in an interoperable way in place right now.
That avoids the need to have that particular cert issued by a Trusted Third
Party.
Indeed it does, which would be very nice indeed.
If you deploy DNSSEC the downgrade attack can be eliminated.
That prevents one MITM attack vector, but there may be others.
I have a somewhat larger proposal. I think that it is in fact possible to
offer a very robust level of security.
The discussion here is missing the point though. Most security schemes fail
because they are not used and they are not used because the administrative
configuration process is utterly abysmal. The reason that most WiFi access
points are not secured has nothing to do with the insecurity of WEP - which is
fixable.
I've heard this characterized as "designed for security without being designed
for usability". This is a trap we're caught in that we absolutely must break
free of if the security services we design are to have real utility. The
trouble is you have to do both at the same time and as part of the initial
design. We've shifted from doing neither at that point and trying to add
security after the fact (which is rarely very satisfactory) to being fairly
good at baking the security in from the start but not the usability. The result
is lots of people simply refuse to use the security capabilities we do have.
Fixing security holes is easy. Fixing usability holes is very hard,
particularly because none of us are psychologists and few of us are likely to
want to learn about it.
Indeed. Neither the psych crowd nor the human factors engineering crowd (which
I guess really amounts to a form of applied industrial psych) appear to be well
represented here. I confess I have no idea how to change this.
Therefore the security strategy we should be pushing for is going to be one
that requires the minimum number of user interactions while providing the user
with the most direct information that allows them to be safe.
Sounds right to me.
We currently have an abysmal security infrastructure in the Internet and this
is not going to be solved just by everyone deploying IPSEC.
It's abysmal in the sense that the focus has been on getting the best possible
security without regard to whether or not the result can actually be used by
anyone short of an expert. But yes, I agree that a shift of focus is urgently
needed.
Ned
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf