9fans - fans of the OS Plan 9 from Bell Labs
 help / color / mirror / Atom feed
* [9fans] "(more) security" leaking info example [was: one weird trick to break p9sk1 ?]
@ 2024-05-14  9:53 tlaronde
  0 siblings, 0 replies; only message in thread
From: tlaronde @ 2024-05-14  9:53 UTC (permalink / raw)
  To: 9fans

There was one interesting thread yesterday about p9sk1 and the leaking
of info allowing, in some cases, to break easily the whole security.

Here is another rather trivial example but it may be interesting to
some---and it may explain why on some lists, mails appear in chronological
disorder. (Not specific to Plan9: general problem.)

Context: when it comes to mail, I'm no specialist and just an end
user. Since I'm getting old, I kept with the "old" scheme that my
outcoming mail was to be fed to the Internet connection provider smtp
server. But since I may have to change the ISP---for whatever reason,
generally technical: lack of connection...---, I have a principal email
address, that is independent from the ISP domain, and, to segregate mails,
I may have alternate domain addresses.

Not this long ago, there was no problem. But eventually, the service
was provided with STARTTLS. No real problem too, except to put the
service in place. Then some ISP started, while being authenticated
both by the IP provided and furthermore by user account, to disallow
sending mail if the envelop address was not the user account address, trying
to force to use their provided mail address.

I then set the envelop address to the one required, but still set the
From: header address to my principal email address.

It worked.

Then, some days ago, I decided to send a message to an organization, say
foo.org (french political organization). On their website, they
advertised (they still do) some: contact_bar@foo.org.

Unpersonal address.

I had then the surprise to have Gmail bouncing a message to me about a
real person address, with the headers explaining that Google has
changed the policy and that mail without at least SPF or DKIM was not
anymore delivered.

The leak of information is here: the contact_bar@foo.org was in fact
forwarded to a real account.

My ISP, apparently, doesn't set SPF or DKIM to mail that have not the
From: address matching the envelop one (while both SPF and DKIM have
nothing to do with that, if I'm not mistaken: that's DMARC; and I'm
perfectly identifiable by both my IP and my user account). So my
message bounced to me because this lack of "security" feature but
displaying a personal information.

First note: I changed my configuration to use, from now on, because it
exists (but this may not be at disposal for everybody), the smtp linked to
the domain of my principal email address, and set both SPF and DKIM.
The result is that the mails are delivered without delay -> this may
explain why some addresses appear in mailing lists in chronological
disorder, because messages are put in quarantine, along the way, due to
lack of SPF or DKIM (not DMARC).

To add to the fun, it appears that the real person behind the generic
"contact_bar@foo.org" is known to me. The information leaked, in this
case, is not that this person has something to do with the organization (it was
known). The fun is that this person left the organization almost two
years ago, for a concurrent one (and in political organizations, to be
a traitor to one's country is not a problem, but to be a traitor to
the political organization is unforgivable). That foo.org have changed
their contact email address but not updated their website still advertising an
old address. Hence, people trying to contact foo.org using their
published contact email address were sending information to a concurrent


Security is a two edges blade: it can cut the throat of a opponent, or
cut your hand if you don't have a safety handle. In this case, it can be
used to probe for information precisely by crafting an incorrect message
to trigger error.
        Thierry Laronde <tlaronde +AT+ kergis +dot+ com>
Key fingerprint = 0FF7 E906 FBAF FE95 FD89  250D 52B1 AE95 6006 F40C

9fans: 9fans
Permalink: https://9fans.topicbox.com/groups/9fans/T629509e6dbb32f37-Mf366d007d0da2425cff92a2d
Delivery options: https://9fans.topicbox.com/groups/9fans/subscription

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2024-05-14  9:54 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-05-14  9:53 [9fans] "(more) security" leaking info example [was: one weird trick to break p9sk1 ?] tlaronde

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).