From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-lj1-f174.google.com ([209.85.208.174]) by ewsd; Mon Jul 20 13:16:50 EDT 2020
Received: by mail-lj1-f174.google.com with SMTP id q4so21147347lji.2
        for <9front@9front.org>; Mon, 20 Jul 2020 10:16:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
        bh=AsKF7VlKAspd4FPobxvBGzlCmbHrVN6R+Jf7YbNPMWs=;
        b=eHOrkbzGHB8MZq05oGp6YbhsSG7yeaqKlqS3ZaB9vkIftYnJalRSP5fuV6ZW53jO1w
         91N/YR+xV9Ae9io7ShkgyPhDLu4S1uAdWyw8kXf82BSLhQIUCMkDLUJLj5FF73u/lRmD
         FDfHOfs5LD1yeFIvnMpwuBXzB4zSZPDmDmf12tx/PmB9mvQ5nMAcT961LDeWoopnZaqI
         buyr6zUd6vbpa0yjzCxyjnk1VcaYYvUR2fbhI27LGyOqUY7o3whkHMHJ0ZN1wKEVtsAu
         9lsoh/rLgILXviWNye6vO/DNY0BPJlEsgqPW5xIA9aM1T1XFO/rm2gzlpTkgaDGHHOEH
         bIQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to;
        bh=AsKF7VlKAspd4FPobxvBGzlCmbHrVN6R+Jf7YbNPMWs=;
        b=VWrchNHF+WaY7ptiLBVNTvLKCUU5BuaoXCr1Gk6T696hcMohrU7nw0s9uA0vTY/hnh
         xVVQX6K/G66yzjCuHy/m+6j6AYGXzSBW8I+ZVj+GYLO4irUnYNe7Oc+q1gWm0pAsJMno
         VDx5iGKQgPaZNQhivy1hUU1jfGNhE+b/7XOvrLI5tA4WpxSWfh0OPt1uVdc7p+/5eZR0
         tvqpOOtO2V/i9F03B1zRLsmL1mctNvB0JJiCJxMBdjqgyXrYDHlHuFwyaz+T5wzo8cIW
         LsKkocNNN67JN2jVljPvGLtyyWDOwD7dQWJYWsgQu+uLHI9nQfogcxJ/Q579ZtFphZAi
         N+4g==
X-Gm-Message-State: AOAM5301vxH/4JnfVXk6ZPN05GbbM2seOjpJ4KumIqDhMbmHvSemVmEm
	wR72bUVHChQZdgMxSACcE2uLChGjFhMlZSt/xy5G+w==
X-Google-Smtp-Source: ABdhPJwjYvg9hwl1fh+PO3Df2wRJkl5SasSub1NFN6SM8GzQQwUP5z6Pl7Dx9wExnpHLcJJc5B3xcnr2Nwl4RtuvIxo=
X-Received: by 2002:a2e:b5a8:: with SMTP id f8mr10215920ljn.247.1595265402622;
 Mon, 20 Jul 2020 10:16:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ac2:514c:0:0:0:0:0 with HTTP; Mon, 20 Jul 2020 10:16:41
 -0700 (PDT)
In-Reply-To: <BC75BC74DEF132FCD6A0F1C7E3D9FCEC@felloff.net>
References: <12797BEC64C15CAB8201AA7801E6B319@eigenstate.org> <BC75BC74DEF132FCD6A0F1C7E3D9FCEC@felloff.net>
From: Joel Fridolin Meyer <sirjofri@googlemail.com>
Date: Mon, 20 Jul 2020 19:16:41 +0200
Message-ID: <CAF5U_z1nW50mN4KRZPrWkK52Kzjdg6UcR+OOQbqhiFZFh43KXQ@mail.gmail.com>
Subject: Re: [9front] patch smtp: ignore unrecognized certificates
To: 9front@9front.org
Content-Type: text/plain; charset="UTF-8"
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: metadata map/reduce manager 

Hello again.

I read through your responses and will adjust the patch (use -C instead of -c).

About no thumbprint loading: I left it in on purpose, so that admins
still get the notice and can track connections etc. For example admins
can see what connections were made and manually add them to the file
if they want to enable security checks at some point.

I can remove loading of thumbprints at all, I just wanted to give you
my thoughts.

Also we could remove the goto here, but I guess I need some hint,
because somehow my brain didn't want to think properly when I looked
at the code.

sirjofri

2020-07-20 18:18 GMT+02:00, cinap_lenrek@felloff.net <cinap_lenrek@felloff.net>:
> you need to differentiate some use cases.
>
> for servers like your isp's or your networks forwarding mailserver
> (machines that you have direct relation or control over), it makes
> sense to pin certificates or public key. this is where you use
> smtps, instead of this insecure STARTTLS contraption.
>
> but on the internet, nobody is really checking the cert as theres no
> root of trust. last time i checked, you could put a self signed cert
> in your smtp server and you'd still get mail as theres not really
> a common root of trust. this is different from webbrowsers where
> the root of trust is controlled by the browser vendo^Wgoogle.
>
> smtp is just opportunistic encrytion. hell, starttls can be attacked
> by mitm by just stripping the command with a proxy to sabotage the
> tls negotiation.
>
> it is just best effort to at least encrypt the data, but it will not
> hold against an adversary that has active mitm capability. to it
> protects from passive sniffing...
>
> mayyyybe, if we had dnssec and put the public key hash in the dns
> then we could have mitm protected email transport. but its not
> working very well. people whine that they dont want to trust the
> dns (fair enougth) and then use letsencrypt instead which completely
> 100% relies on dns for the renewal...
>
> in conclusion, it makes sense to me to add a flag to smtp client
> for opportunistic encryption that skips certificate verification.
> (you'd control it in your remotemail script depending on the
> destination, so you can still pin the keys for sites that you
> trust).
>
> tho please dont use -c flag. its a negative, so should have
> a capital letter. and we should also skip loading the tumbprint
> at all, as it makes no sense to try to check anything in this case.
>
> --
> cinap
>