From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.4 Received: from tb-ob20.topicbox.com (tb-ob20.topicbox.com [173.228.157.66]) by inbox.vuxu.org (Postfix) with ESMTP id 6512F26ABE for ; Tue, 14 May 2024 11:54:15 +0200 (CEST) Received: from tb-mx0.topicbox.com (tb-mx0.nyi.icgroup.com [10.90.30.73]) by tb-ob20.topicbox.com (Postfix) with ESMTP id 4E8A21DFD7 for ; Tue, 14 May 2024 05:54:13 -0400 (EDT) (envelope-from bounce.mMf366d007d0da2425cff92a2d.r522be890-2105-11eb-b15e-8d699134e1fa@9fans.bounce.topicbox.com) Received: by tb-mx0.topicbox.com (Postfix, from userid 1132) id F3E7830369C0; Tue, 14 May 2024 05:54:12 -0400 (EDT) ARC-Authentication-Results: i=2; topicbox.com; arc=pass; dkim=none (no signatures found); dmarc=none policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=kergis.com; spf=pass smtp.mailfrom=tlaronde@kergis.com smtp.helo=8.mo548.mail-out.ovh.net; x-internal-arc=fail (as.1.topicbox.com=pass, ams.1.topicbox.com=fail (message has been altered)) (Message modified while forwarding at Topicbox) ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d= topicbox.com; h=date:from:to:message-id:mime-version :content-type:list-help:list-id:list-post:list-subscribe :reply-to:subject:content-transfer-encoding:list-unsubscribe; s= sysmsg-1; t=1715680452; bh=R58p1FuJB7+/qpmO0rXVS24duiRuS0oX+E54q ByxaS8=; b=mgbACbxWfsp8p0Z85u/aOeux3rXnGsnkyeY6fFzjHKbw8UrYpPzeD NqFu8zFYKpbubYiBb7oYdq8RHCdF2NiDxLrEq63AYQPe0G2ftvLoLHarHlh3AiQd rdSIcCbV4CqIQ9ba2A1FO2ysS+wpfoV5TMd5jF0WcCc54jseXxcFsk= ARC-Seal: i=2; a=rsa-sha256; cv=pass; d=topicbox.com; s=sysmsg-1; t= 1715680452; b=C4CIea15mBmajPjs5xu9hEjJclPIowfB2ykUWewPGaLPYW9wRF l/W4i4/VuksiWKSxZCSNbQRX8dkV182TCdfC3MW4J0oqbASSQY+ZLFow0xLo3MD9 +lirxJhATCnv/8OSWTe3na3XhwERmK6ZvzxfH0dTcmE2kHP8yaOtnnrU8= Authentication-Results: topicbox.com; arc=pass; dkim=none (no signatures found); dmarc=none policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=kergis.com; spf=pass smtp.mailfrom=tlaronde@kergis.com smtp.helo=8.mo548.mail-out.ovh.net; x-internal-arc=fail (as.1.topicbox.com=pass, ams.1.topicbox.com=fail (message has been altered)) (Message modified while forwarding at Topicbox) X-Received-Authentication-Results: garm.ovh; auth=pass (GARM-99G0035f3eba24-6b21-4019-b62e-b35da734b902, ED356A65C2DE599CDFBFCF1F0DCA7096502D9AC8) smtp.auth=tlaronde@kergis.com X-Received-Authentication-Results: tb-mx1.topicbox.com; arc=none (no signatures found); bimi=skipped (DMARC did not pass); dkim=none (no signatures found); dmarc=none policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=kergis.com; iprev=pass smtp.remote-ip=46.105.45.231 (8.mo548.mail-out.ovh.net); spf=pass smtp.mailfrom=tlaronde@kergis.com smtp.helo=8.mo548.mail-out.ovh.net; x-aligned-from=pass (Address match); x-me-sender=none; x-ptr=pass smtp.helo=8.mo548.mail-out.ovh.net policy.ptr=8.mo548.mail-out.ovh.net; x-return-mx=pass header.domain=kergis.com policy.is_org=yes (MX Records found: mx2.ovh.net,mx1.ovh.net,mxb.ovh.net); x-return-mx=pass smtp.domain=kergis.com policy.is_org=yes (MX Records found: mx2.ovh.net,mx1.ovh.net,mxb.ovh.net); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=0 state=0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=9fans.net; h=date:from :to:message-id:mime-version:content-type:list-help:list-id :list-post:list-subscribe:reply-to:subject :content-transfer-encoding:list-unsubscribe; s=dkim-1; t= 1715680452; x=1715766852; bh=IT5gOTgKG88Wn/YWp5JdwqNN776ZKd1O6bn LOuaVhn4=; b=e13oMEcEx8sxGHnF186302PGGnBP1o4vLnBCfcaivMDc5DxwMRc 3lWdECjrRyeQQQypcryFEI59Ini3s2NiYxoyvzptNpvpwZkfCASDthZAuX6WUEw2 ReI0CmbGydrAK3ZiJxzA+ODqv+wWYtf3Jr2MD1FSRqfeGV0vR6F+PYXc= Received: from tb-mx1.topicbox.com (localhost.local [127.0.0.1]) by tb-mx1.topicbox.com (Postfix) with ESMTP id 03F2A193C2C8 for <9fans@9fans.net>; Tue, 14 May 2024 05:53:54 -0400 (EDT) (envelope-from tlaronde@kergis.com) Received: from tb-mx1.topicbox.com (localhost [127.0.0.1]) by tb-mx1.topicbox.com (Authentication Milter) with ESMTP id 1E798F76345; Tue, 14 May 2024 05:53:54 -0400 ARC-Seal: i=1; a=rsa-sha256; cv=none; d=topicbox.com; s=arcseal; t= 1715680434; b=MzZr9lzZ21vO1Hy1LMfAhIrjnphMOEob7J1kE7WcTBWgIfuL7I +enMk64+hdD/TASULbUnme5mpZwoOR6f1cOyS7tC0b946onTSUDREj4dsQ+ee4Os iCXPZ77vM9xcAuqEYJI7fEmsAz/aiJwPOkbcN5dCZ0w5wbVZn/dHN7zSRRULYCAQ E4KifJxypyicNAEWMYW0xgVF+UzdeuydBguaH8cuLsHlcSnF2m5n9Pj/yr1KFs8U h7xXQW4ZPxFIllEwTyikbKsOE2dFu4peFW1sJAWU4ofXXWZe5AQjfWhCKFIMnnix 2gnay533PCnimfGKkjDP9QrWkLM+UpPNhtCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= topicbox.com; h=date:from:to:subject:message-id:mime-version :content-type; s=arcseal; t=1715680434; bh=/UlmX6LKVrNTx6+nUdkNz z4jlj71iwXrUJK7Elvz778=; b=vs5PcDZd76GZdfpMXOEHEjnK2arPFpK2K4x+h L6nLlCLIW6D3856JnYLibzdrWKKJsZInWgWjDhndHcwpvorqw73xF9m2exe2/e1n 0UklXAlR/AGpSTiR3mJfGZut3X8UgYT7CE7k4VPBabHA9m71ENv8JPeZjYekJg3p 1WKhhrBxQulNCdyf110XqDP0tRlxoNgy47kWKIPvWPuAWKfF+3syD3bdpZMjZ65a VYuIPWyN4/RyBA07aj6iCAOOno/JNnL6JJxUUrKvxwE229Crd52WiSiAvQqCLDlr qzmfHtQ7DY3FZww6kS5GxMWqEhU3V1cnoDspni7SuEY5ohhIg== ARC-Authentication-Results: i=1; tb-mx1.topicbox.com; arc=none (no signatures found); bimi=skipped (DMARC did not pass); dkim=none (no signatures found); dmarc=none policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=kergis.com; iprev=pass smtp.remote-ip=46.105.45.231 (8.mo548.mail-out.ovh.net); spf=pass smtp.mailfrom=tlaronde@kergis.com smtp.helo=8.mo548.mail-out.ovh.net; x-aligned-from=pass (Address match); x-me-sender=none; x-ptr=pass smtp.helo=8.mo548.mail-out.ovh.net policy.ptr=8.mo548.mail-out.ovh.net; x-return-mx=pass header.domain=kergis.com policy.is_org=yes (MX Records found: mx2.ovh.net,mx1.ovh.net,mxb.ovh.net); x-return-mx=pass smtp.domain=kergis.com policy.is_org=yes (MX Records found: mx2.ovh.net,mx1.ovh.net,mxb.ovh.net); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=0 state=0 X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgedvledrvdegiedgvdduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuf fkgggtughisehttdertddttddvnecuhfhrohhmpeeothhlrghrohhnuggvsehkvghrghhi shdrtghomheqnecuggftrfgrthhtvghrnhepveelieekieduudduhedufedvffduveevue dvtddvffdttdettdffjedthfeguedtnecuffhomhgrihhnpehkvghrghhishdrtghomhdp nhhunhgtqdgvthdqhhhitgdrfhhrnecukfhppeegiedruddthedrgeehrddvfedupdefje drheelrddugedvrdelledpvddufedrgeegrddvgeegrdehleenucevlhhushhtvghrufhi iigvpedtnecurfgrrhgrmhepihhnvghtpeegiedruddthedrgeehrddvfedupdhhvghloh epkedrmhhoheegkedrmhgrihhlqdhouhhtrdhovhhhrdhnvghtpdhmrghilhhfrhhomhep oehtlhgrrhhonhguvgeskhgvrhhgihhsrdgtohhmqedpnhgspghrtghpthhtohepuddprh gtphhtthhopeeolehfrghnsheslehfrghnshdrnhgvtheq X-ME-VSScore: 0 X-ME-VSCategory: clean Received-SPF: pass (kergis.com: Sender is authorized to use 'tlaronde@kergis.com' in 'mfrom' identity (mechanism 'include:mx.ovh.com' matched)) receiver=tb-mx1.topicbox.com; identity=mailfrom; envelope-from="tlaronde@kergis.com"; helo=8.mo548.mail-out.ovh.net; client-ip=46.105.45.231 Received: from 8.mo548.mail-out.ovh.net (8.mo548.mail-out.ovh.net [46.105.45.231]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by tb-mx1.topicbox.com (Postfix) with ESMTPS for <9fans@9fans.net>; Tue, 14 May 2024 05:53:53 -0400 (EDT) (envelope-from tlaronde@kergis.com) Received: from mxplan4.mail.ovh.net (unknown [10.108.17.188]) by mo548.mail-out.ovh.net (Postfix) with ESMTPS id 4VdsBS3f2wz11Wf for <9fans@9fans.net>; Tue, 14 May 2024 09:53:52 +0000 (UTC) Received: from kergis.com (37.59.142.99) by DAG1EX1.mxp4.local (172.16.2.1) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Tue, 14 May 2024 11:53:52 +0200 X-OVh-ClientIp: 213.44.244.59 Received: from cauchy.polynum.local (localhost [127.0.0.1]) by cauchy.polynum.local (8.16.1/8.16.1) with ESMTPS id 44E9rm8D001573 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for <9fans@9fans.net>; Tue, 14 May 2024 11:53:49 +0200 (CEST) Received: (from tlaronde@localhost) by cauchy.polynum.local (8.16.1/8.14.9/Submit) id 44E9rm9K003497 for 9fans@9fans.net; Tue, 14 May 2024 11:53:48 +0200 (CEST) Date: Tue, 14 May 2024 11:53:48 +0200 From: To: 9fans <9fans@9fans.net> Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline X-Originating-IP: [37.59.142.99] X-ClientProxiedBy: DAG6EX2.mxp4.local (172.16.2.12) To DAG1EX1.mxp4.local (172.16.2.1) X-Ovh-Tracer-GUID: 5a6ee1dc-52cd-493a-9d1b-44034aabe6ef X-Ovh-Tracer-Id: 3796534486212283159 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvledrvdegiedgvdduucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucenucfjughrpeffhffvuffkgggtughisehttdertddttddvnecuhfhrohhmpeeothhlrghrohhnuggvsehkvghrghhishdrtghomheqnecuggftrfgrthhtvghrnhepveelieekieduudduhedufedvffduveevuedvtddvffdttdettdffjedthfeguedtnecuffhomhgrihhnpehkvghrghhishdrtghomhdpnhhunhgtqdgvthdqhhhitgdrfhhrnecukfhppeduvdejrddtrddtrddupdefjedrheelrddugedvrdelledpvddufedrgeegrddvgeegrdehleenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeduvdejrddtrddtrddupdhmrghilhhfrhhomhepthhlrghrohhnuggvsehkvghrghhishdrtghomhdpnhgspghrtghpthhtohepuddprhgtphhtthhopeelfhgrnhhsseelfhgrnhhsrdhnvghtpdfovfetjfhoshhtpehmohehgeekpdhmohguvgepshhmthhpohhuth Topicbox-Policy-Reasoning: allow: sender is a member Topicbox-Message-UUID: e324ead8-11d7-11ef-8213-d0a5ce773c60 Archived-At: =?UTF-8?B?PGh0dHBzOi8vOWZhbnMudG9waWNib3guY29tL2dyb3Vwcy85?= =?UTF-8?B?ZmFucy9UNjI5NTA5ZTZkYmIzMmYzNy1NZjM2NmQwMDdkMGRhMjQyNWNmZjky?= =?UTF-8?B?YTJkPg==?= List-Help: List-Id: "9fans" <9fans.9fans.net> List-Post: List-Software: Topicbox v0 List-Subscribe: Precedence: list Reply-To: 9fans <9fans@9fans.net> Subject: [9fans] "(more) security" leaking info example [was: one weird trick to break p9sk1 ?] Content-Transfer-Encoding: quoted-printable List-Unsubscribe: , Topicbox-Delivery-ID: 2:9fans:437d30aa-c441-11e9-8a57-d036212d11b0:522be890-2105-11eb-b15e-8d699134e1fa:Mf366d007d0da2425cff92a2d:1:_opQo3w0s_ojOfFsKBFwjZt7SIzX84cT2HbRjii91-Q There was one interesting thread yesterday about p9sk1 and the leaking of info allowing, in some cases, to break easily the whole security. Here is another rather trivial example but it may be interesting to some---and it may explain why on some lists, mails appear in chronological disorder. (Not specific to Plan9: general problem.) Context: when it comes to mail, I'm no specialist and just an end user. Since I'm getting old, I kept with the "old" scheme that my outcoming mail was to be fed to the Internet connection provider smtp server. But since I may have to change the ISP---for whatever reason, generally technical: lack of connection...---, I have a principal email address, that is independent from the ISP domain, and, to segregate mails, I may have alternate domain addresses. Not this long ago, there was no problem. But eventually, the service was provided with STARTTLS. No real problem too, except to put the service in place. Then some ISP started, while being authenticated both by the IP provided and furthermore by user account, to disallow sending mail if the envelop address was not the user account address, trying to force to use their provided mail address. I then set the envelop address to the one required, but still set the From: header address to my principal email address. It worked. Then, some days ago, I decided to send a message to an organization, say foo.org (french political organization). On their website, they advertised (they still do) some: contact_bar@foo.org. Unpersonal address. I had then the surprise to have Gmail bouncing a message to me about a real person address, with the headers explaining that Google has changed the policy and that mail without at least SPF or DKIM was not anymore delivered. The leak of information is here: the contact_bar@foo.org was in fact forwarded to a real account. My ISP, apparently, doesn't set SPF or DKIM to mail that have not the From: address matching the envelop one (while both SPF and DKIM have nothing to do with that, if I'm not mistaken: that's DMARC; and I'm perfectly identifiable by both my IP and my user account). So my message bounced to me because this lack of "security" feature but displaying a personal information. First note: I changed my configuration to use, from now on, because it exists (but this may not be at disposal for everybody), the smtp linked to the domain of my principal email address, and set both SPF and DKIM. The result is that the mails are delivered without delay -> this may explain why some addresses appear in mailing lists in chronological disorder, because messages are put in quarantine, along the way, due to lack of SPF or DKIM (not DMARC). To add to the fun, it appears that the real person behind the generic "contact_bar@foo.org" is known to me. The information leaked, in this case, is not that this person has something to do with the organization (it= was known). The fun is that this person left the organization almost two years ago, for a concurrent one (and in political organizations, to be a traitor to one's country is not a problem, but to be a traitor to the political organization is unforgivable). That foo.org have changed their contact email address but not updated their website still advertising= an old address. Hence, people trying to contact foo.org using their published contact email address were sending information to a concurrent organization... Splendid! Security is a two edges blade: it can cut the throat of a opponent, or cut your hand if you don't have a safety handle. In this case, it can be used to probe for information precisely by crafting an incorrect message to trigger error. --=20 Thierry Laronde http://www.kergis.com/ http://kertex.kergis.com/ http://nunc-et-hic.fr/ Key fingerprint =3D 0FF7 E906 FBAF FE95 FD89 250D 52B1 AE95 6006 F40C ------------------------------------------ 9fans: 9fans Permalink: https://9fans.topicbox.com/groups/9fans/T629509e6dbb32f37-Mf366d= 007d0da2425cff92a2d Delivery options: https://9fans.topicbox.com/groups/9fans/subscription