Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#10989 closed enhancement (worksforme)

bridgedb should use starttls for outgoing mails

Reported by: arma Owned by: isis
Priority: High Milestone:
Component: Circumvention/BridgeDB Version:
Severity: Keywords: bridgedb-email
Cc: sysrqb, isis, Sebastian, weasel Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Matt tells me that outgoing mails from bridgedb don't attempt starttls. This is especially sad because those mails include bridge addresses, which we're trying to keep secret from a network adversary who watches bridges.tp.o's network (or the recipient's network).

Child Tickets

Change History (7)

comment:1 Changed 6 years ago by arma

Cc: sysrqb isis added

comment:2 Changed 6 years ago by cypherpunks

I just received a bridge email that did use TLS:

Received: from ponticum.torproject.org (ponticum.torproject.org. [38.229.72.19])
        by mx.google.com with ESMTPS id ws6si6533465oeb.45.2014.02.21.04.18.40
        for <XXXXX@gmail.com>
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 21 Feb 2014 04:18:40 -0800 (PST)

Btw, from RFC 3848:

   o  The new keyword "ESMTPS" indicates the use of ESMTP when STARTTLS
      is also successfully negotiated to provide a strong transport
      encryption layer.

So, this premise of this ticket (that STARTTLS isn't attempted) appears to be incorrect. However, if unencrypted SMTP connections are also allowed, that should be fixed. Here is a link to the relevant postfix documentation: http://www.postfix.org/TLS_README.html#client_tls

comment:3 Changed 6 years ago by isis

Keywords: bridgedb-email bridgedb-gsoc-application added
Owner: set to isis
Priority: normalmajor
Status: newassigned

Sysrqb, if I recall correctly, you looked into this at the 2014 Winter meeting... did you discover anything notable?

I do not recall off the top of head if emails sent out from BridgeDB are sent through Postfix, or directly sent from the bridgedb.EmailServer module.

If the latter, the code in Twisted and pyOpenSSL for inspecting the state of a TLS handshake is rather gruesomely opaque, as I found while writing a test for it in ooni. That said, perhaps this could be a very large undertaking, or possibly parts of that ooni code I wrote could be used (I tried to write large parts of the callbacks in a generalised fashion so that I'd never have to deal with this pain ever ever again). Perhaps we should force SSL/TLS (we shouldn't be supporting any email providers who don't provide SSL anyway), and refuse to send the email if the handshake does not succeed?

comment:4 Changed 6 years ago by isis

Added the bridgedb-gsoc-application tag because a GSoC application for a BridgeDB distribution method which completes this ticket would give me a good idea of a student's skill level.

comment:5 in reply to:  3 ; Changed 6 years ago by sysrqb

Replying to isis:

Sysrqb, if I recall correctly, you looked into this at the 2014 Winter meeting... did you discover anything notable?

I do not recall off the top of head if emails sent out from BridgeDB are sent through Postfix, or directly sent from the bridgedb.EmailServer module.


It is the former, and so far it seems to be doing what we want. I was silly and assumed it was the latter when I talked to arma. I just tested the inter-operation with yahoo.

yahoo -> bridges.tp.o:

Received: BridgeDB
From xxxx@yahoo.com  Fri Mar  7 XX:XX:XX 2014
X-Original-To: bridges@bridges.torproject.org
Delivered-To: bridgedb@ponticum.torproject.org
Received: from nm36.bullet.mail.ne1.yahoo.com (nm36.bullet.mail.ne1.yahoo.com [98.138.229.29])
      (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
      (Client did not present a certificate)
      by ponticum.torproject.org (Postfix) with ESMTPS id
      for <bridges@bridges.torproject.org>; Fri,  7 Mar 2014 XX:XX:XX +0000 (UTC)
Received: from [127.0.0.1] by nm36.bullet.mail.ne1.yahoo.com with NNFMP; 07 Mar 2014 XX:XX:XX -0000
Received: from [98.138.100.113] by nm36.bullet.mail.ne1.yahoo.com with NNFMP; 07 Mar 2014 XX:XX:XX -0000
Received: from [98.138.226.160] by tm104.bullet.mail.ne1.yahoo.com with NNFMP; 07 Mar 2014 XX:XX:XX -0000
Received: from [127.0.0.1] by omp1061.mail.ne1.yahoo.com with NNFMP; 07 Mar 2014 XX:XX:XX -0000
Received: (qmail 58298 invoked by uid 60001); 7 Mar 2014 XX:XX:XX -0000
Received: from [162.243.119.77] by web126103.mail.ne1.yahoo.com via HTTP; Thu, 06 Mar 2014 XX:XX:XX PST
X-Mailer: YahooMailWebService/0.8.177.636

So it appears to be unencrypted intra-yahoo, but TLSv1 with cipher DHE-RSA-AES256-SHA over the net. Not bad.

bridges.tp.o -> yahoo:

From bridges@torproject.org Fri Mar  7 XX:XX:XX 2014
Return-Path: <bridges@torproject.org>
Received: from 127.0.0.1  (EHLO ponticum.torproject.org) (38.229.72.19)
by mta1311.mail.ne1.yahoo.com with SMTPS; Fri, 07 Mar 2014 XX:XX:XX +0000
Received: from ponticum.torproject.org (localhost [127.0.0.1])
by ponticum.torproject.org (Postfix) with SMTP id
for <XXXX@yahoo.com>; Fri,  7 Mar 2014 XX:XX:XX +0000 (UTC)
Content-Type: text/plain
From: bridges@torproject.org
To: XXXX@yahoo.com

SMTPS is used during the return, so its security level is not immediately obvious but it's still better than plaintext.

And, in addition to cypherpunks' post,
gmail -> tp.o uses TLSv1 with cipher ECDHE-RSA-RC4-SHA

Also, for the record,
tp.o -> bridges.tp.o uses TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384

comment:6 in reply to:  5 Changed 6 years ago by isis

Cc: Sebastian weasel added
Resolution: worksforme
Status: assignedclosed

Replying to sysrqb:

Replying to isis:

I do not recall off the top of head if emails sent out from BridgeDB are sent through Postfix, or directly sent from the bridgedb.EmailServer module.


It is the former, and so far it seems to be doing what we want. I was silly and assumed it was the latter when I talked to arma. I just tested the inter-operation with yahoo.

SMTPS is used during the return, so its security level is not immediately obvious but it's still better than plaintext.


Awesome. Thanks for testing and gathering all this info. Thanks also, cypherpunks. :)

And, in addition to cypherpunks' post,
gmail -> tp.o uses TLSv1 with cipher ECDHE-RSA-RC4-SHA


Yeah, I'll bet they really want that forward secrecy for that RC4.

This one isn't something we can fix on ponticum, as far as I know. I believe we'd need to set the following host-wide for all of @torproject.org in /etc/postfix/main.cf:

smtp_tls_exclude_ciphers = aNULL, MD5, DES, [...], RC4


I'm neither a sysadmin nor a Postfix wizard, so I might be entirely wrong. Seeing as STARTTLS is successfully negotiated, however, I'm going to close this as worksforme.

Perhaps someone from the sysadmin team who knows more about Postfix wizardry can comment on whether it's a good idea to disable RC4 for SMTP from @torproject.org; CCing sebastian and weasel.

comment:7 Changed 6 years ago by isis

Keywords: bridgedb-gsoc-application removed

By the way, if this were fixable from BridgeDB's Twisted servers, this Twisted Trac ticket on setting ciphersuites in CertificateOptions would be relevant. (Documenting this just in case this issue comes up somewhere else.)

Note: See TracTickets for help on using tickets.