SlideShare ist ein Scribd-Unternehmen logo

Email Security Study Finds Widespread Issues

Aaron Zauner
Aaron Zauner

IETF93

Technologie
1 von 14
Downloaden Sie, um offline zu lesen
State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner IETF93 Prague, Security Area Open Meeting - 23/07/2015
Overview Results Conclusion
Context § Joined SBA-Research in Janurary to help with an ongoing Internet-wide scanning project § We’ve conducted scans on e-mail related ports over the last couple of months § Currently digging through collected data and writing papers IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 1/12
Targets and Methods § SMTP(S), POP3(S), IMAP(S) and Legacy Ports § masscan and sslyze with a queueing framework built around it § Delay between handshakes in sslyze added § some POP/IMAP daemons are easily DoSed § Runs spanning months (roughly from April to June) § About 9.2 billon TLS handshakes with sslyze § Multiple masscan runs for banners/certs § triggered dovecot bug (CVE-2015-3420) :) § initially discovered and investigated/reported upstream by Hanno Boeck IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 2/12
Protocol Support IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 3/12
RC4 Accepting RC4 Not accepting RC4 SMTPS 82,27 17,73 SMTP 86,27 13,73 IMAPS 83,36 16,64 IMAP 85,71 14,29 POP3S 83,74 16,26 POP3 86,51 13,49 Table : RC4 Cipher Support Percentage IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 4/12
AUTH PLAIN offered by hosts SMTP (25) § 917,536 - AUTH PLAIN, no STARTTLS support § 1,722,387 - AUTH PLAIN & STARTTLS IMAP (143) § 211,962 - AUTH PLAIN, no STARTTLS support § 3,243,632 - AUTH PLAIN & STARTTLS POP3 (110) § 225,341 - AUTH PLAIN, no STARTTLS support § 3,391,525 AUTH PLAIN & STARTTLS IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 5/12
Certificates ssc: signed certificate, ok: CA signed, local: unable to get local issuer certificate, ssc chain: self signed certificate in certificate chain (Mozilla Truststore) IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 6/12
Certificates (cont.) SMTP and SMTPS § Almost all leafs >= 1024 bit RSA (most 2048) § Same for intermediates (fewer than 200 with less than 1024 bit RSA) POP3(S) and IMAP(S) § Very similar results, a few more low-bit leaf and intermediates. IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 7/12
Weak ciphers and Anon-DH SMTP (STARTTLS) § RC2-CBC-MD5 - 40.9% accept (26.5% prefer!) § IDEA-CBC-MD5 - 14.4% accept SMTPS § Anon-DH suites: about 12% acceptance POP(S)/IMAP(S) § Nothing too exciting, ask me about details if you’re interested IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 8/12
Key-exchange DH(E) § Large number of 512bit DH primes in SMTP § Sigificant amount of DH group size =< 1024 in all studied protocols ECDH(E) § Group size: most use 256, some 384, very few 521 throughout studied protocols Common Primes § Apache prime (Adrian et al ‘Weak-DH’ paper) not used § mod_ssl prime: some users, very few more on this topic TBD IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 9/12
Weak Keys Analyzed 40,268,806 collected certificates. Rather unspecacular: Fast-GCD (Heninger et al. “Mining P’s & Q’s”, algo. by djb) § 30,757,242 RSA moduli § 2,354,090 uniques § 456 GCDs found Debian Weak-Keys (CVE-2008-0166) § Compared to openssl-blacklist package § A single (1) match IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 10/12
Conclusion § First to conduct such a detailed study for E-Mail § A lot of issues with transport security in the e-mail ecosystem § Results are pretty much what we’ve expected beforehand § We’ll publish all collected datasets (soon-ish) § More studies, analysis and papers forthcoming § We have tons of additional data, if you have specific questions write us! IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 11/12
Thanks for your patience. Are there any questions? Point of contact: abuse@sba-research.org IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 12/12

Empfohlen

No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...
No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...
No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...Aaron Zauner
 
Introduction to and survey of TLS Security
Introduction to and survey of TLS SecurityIntroduction to and survey of TLS Security
Introduction to and survey of TLS SecurityAaron Zauner
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
05 06 ike
05 06 ike05 06 ike
05 06 ikeBabaa Naya
 
DANE-based TLS verification in the SIP protocol (v 2)
DANE-based TLS verification in the SIP protocol (v 2)DANE-based TLS verification in the SIP protocol (v 2)
DANE-based TLS verification in the SIP protocol (v 2)Olle E Johansson
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorPositive Hack Days
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer securityMaarten Smeets
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesJaroslavChmurny
 

Empfohlen

No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...
No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...
No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...Aaron Zauner
 
Introduction to and survey of TLS Security
Introduction to and survey of TLS SecurityIntroduction to and survey of TLS Security
Introduction to and survey of TLS SecurityAaron Zauner
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
05 06 ike
05 06 ike05 06 ike
05 06 ikeBabaa Naya
 
DANE-based TLS verification in the SIP protocol (v 2)
DANE-based TLS verification in the SIP protocol (v 2)DANE-based TLS verification in the SIP protocol (v 2)
DANE-based TLS verification in the SIP protocol (v 2)Olle E Johansson
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorPositive Hack Days
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer securityMaarten Smeets
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesJaroslavChmurny
 
Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3vpnmentor
 
Networking Task
Networking Task Networking Task
Networking Task Nicole Gaehle, MSIST
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaWardner Maia
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
 
How broken is TLS?
How broken is TLS?How broken is TLS?
How broken is TLS?hannob
 
TLS Perf: from three to zero in one spec
TLS Perf: from three to zero in one specTLS Perf: from three to zero in one spec
TLS Perf: from three to zero in one specNatasha Rooney
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
 
Tunneling vpn security and implementation
Tunneling vpn security and implementationTunneling vpn security and implementation
Tunneling vpn security and implementationMohibullah Saail
 
Tunneling
TunnelingTunneling
TunnelingIlan Mindel
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule WritingCisco DevNet
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLSDr Anjan Krishnamurthy
 
TLS: Past, Present, Future
TLS: Past, Present, FutureTLS: Past, Present, Future
TLS: Past, Present, Futurevpnmentor
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиPositive Hack Days
 
Death of Web App Firewall
Death of Web App FirewallDeath of Web App Firewall
Death of Web App FirewallBrian A. McHenry
 
Death of WAF - GoSec '15
Death of WAF - GoSec '15Death of WAF - GoSec '15
Death of WAF - GoSec '15Brian A. McHenry
 
TLS
TLSTLS
TLSDaniel Stenberg
 
Introduction to SSH & PGP
Introduction to SSH & PGPIntroduction to SSH & PGP
Introduction to SSH & PGPSarang Ananda Rao
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer SecurityHuda Seyam
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsAFRINIC
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasJean-Baptiste Trystram
 
6222019 Originality Reporthttpsblackboard.nec.eduweb.docx
6222019 Originality Reporthttpsblackboard.nec.eduweb.docx6222019 Originality Reporthttpsblackboard.nec.eduweb.docx
6222019 Originality Reporthttpsblackboard.nec.eduweb.docxtroutmanboris
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?Microsoft
 

Weitere ähnliche Inhalte

Was ist angesagt?

Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3vpnmentor
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaWardner Maia
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
 
How broken is TLS?
How broken is TLS?How broken is TLS?
How broken is TLS?hannob
 
TLS Perf: from three to zero in one spec
TLS Perf: from three to zero in one specTLS Perf: from three to zero in one spec
TLS Perf: from three to zero in one specNatasha Rooney
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
 
Tunneling vpn security and implementation
Tunneling vpn security and implementationTunneling vpn security and implementation
Tunneling vpn security and implementationMohibullah Saail
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule WritingCisco DevNet
 
TLS: Past, Present, Future
TLS: Past, Present, FutureTLS: Past, Present, Future
TLS: Past, Present, Futurevpnmentor
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиPositive Hack Days
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer SecurityHuda Seyam
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsAFRINIC
 

Was ist angesagt? (20)

Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3
 
Networking Task
Networking Task Networking Task
Networking Task
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
 
How broken is TLS?
How broken is TLS?How broken is TLS?
How broken is TLS?
 
TLS Perf: from three to zero in one spec
TLS Perf: from three to zero in one specTLS Perf: from three to zero in one spec
TLS Perf: from three to zero in one spec
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
 
Tunneling vpn security and implementation
Tunneling vpn security and implementationTunneling vpn security and implementation
Tunneling vpn security and implementation
 
Tunneling
TunnelingTunneling
Tunneling
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule Writing
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
TLS: Past, Present, Future
TLS: Past, Present, FutureTLS: Past, Present, Future
TLS: Past, Present, Future
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атаки
 
Death of Web App Firewall
Death of Web App FirewallDeath of Web App Firewall
Death of Web App Firewall
 
Death of WAF - GoSec '15
Death of WAF - GoSec '15Death of WAF - GoSec '15
Death of WAF - GoSec '15
 
TLS
TLSTLS
TLS
 
Introduction to SSH & PGP
Introduction to SSH & PGPIntroduction to SSH & PGP
Introduction to SSH & PGP
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defs
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
 

Ähnlich wie Email Security Study Finds Widespread Issues

6222019 Originality Reporthttpsblackboard.nec.eduweb.docx
6222019 Originality Reporthttpsblackboard.nec.eduweb.docx6222019 Originality Reporthttpsblackboard.nec.eduweb.docx
6222019 Originality Reporthttpsblackboard.nec.eduweb.docxtroutmanboris
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?Microsoft
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...Andrejs Vorobjovs
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureBrian Ritchie
 
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderHSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderSplend
 
How to Gain Visibility into Encrypted Threats
How to Gain Visibility into Encrypted ThreatsHow to Gain Visibility into Encrypted Threats
How to Gain Visibility into Encrypted ThreatsShain Singh
 
Sử dụng TLS đúng cách - Phạm Tùng Dương
Sử dụng TLS đúng cách - Phạm Tùng DươngSử dụng TLS đúng cách - Phạm Tùng Dương
Sử dụng TLS đúng cách - Phạm Tùng DươngSecurity Bootcamp
 
Oracle Database: Checklist Connection Issues
Oracle Database: Checklist Connection IssuesOracle Database: Checklist Connection Issues
Oracle Database: Checklist Connection IssuesMarkus Flechtner
 
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...APNIC
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat Security Conference
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019James Bromberger
 
IR-Optimising-Your-Network.pdf
IR-Optimising-Your-Network.pdfIR-Optimising-Your-Network.pdf
IR-Optimising-Your-Network.pdfChandanPrajwal
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser NetwrokingShuya Osaki
 
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSesSSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSesTiago Mendo
 
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3Adel Karimi
 

Ähnlich wie Email Security Study Finds Widespread Issues (20)

6222019 Originality Reporthttpsblackboard.nec.eduweb.docx
6222019 Originality Reporthttpsblackboard.nec.eduweb.docx6222019 Originality Reporthttpsblackboard.nec.eduweb.docx
6222019 Originality Reporthttpsblackboard.nec.eduweb.docx
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
 
Let's Encrypt + DANE
Let's Encrypt + DANELet's Encrypt + DANE
Let's Encrypt + DANE
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & Secure
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLS
 
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderHSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
 
How to Gain Visibility into Encrypted Threats
How to Gain Visibility into Encrypted ThreatsHow to Gain Visibility into Encrypted Threats
How to Gain Visibility into Encrypted Threats
 
Sử dụng TLS đúng cách - Phạm Tùng Dương
Sử dụng TLS đúng cách - Phạm Tùng DươngSử dụng TLS đúng cách - Phạm Tùng Dương
Sử dụng TLS đúng cách - Phạm Tùng Dương
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
 
Oracle Database: Checklist Connection Issues
Oracle Database: Checklist Connection IssuesOracle Database: Checklist Connection Issues
Oracle Database: Checklist Connection Issues
 
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
 
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
 
HTTPS @Scale
HTTPS @ScaleHTTPS @Scale
HTTPS @Scale
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019
 
IR-Optimising-Your-Network.pdf
IR-Optimising-Your-Network.pdfIR-Optimising-Your-Network.pdf
IR-Optimising-Your-Network.pdf
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser Netwroking
 
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSesSSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
 
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
 

Mehr von Aaron Zauner

Because "use urandom" isn't everything: a deep dive into CSPRNGs in Operating...
Because "use urandom" isn't everything: a deep dive into CSPRNGs in Operating...Because "use urandom" isn't everything: a deep dive into CSPRNGs in Operating...
Because "use urandom" isn't everything: a deep dive into CSPRNGs in Operating...Aaron Zauner
 
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...Aaron Zauner
 
Javascript Object Signing & Encryption
Javascript Object Signing & EncryptionJavascript Object Signing & Encryption
Javascript Object Signing & EncryptionAaron Zauner
 
Introduction to and survey of TLS security (BsidesHH 2014)
Introduction to and survey of TLS security (BsidesHH 2014)Introduction to and survey of TLS security (BsidesHH 2014)
Introduction to and survey of TLS security (BsidesHH 2014)Aaron Zauner
 
Beautiful Bash: Let's make reading and writing bash scripts fun again!
Beautiful Bash: Let's make reading and writing bash scripts fun again!Beautiful Bash: Let's make reading and writing bash scripts fun again!
Beautiful Bash: Let's make reading and writing bash scripts fun again!Aaron Zauner
 
Introduction to and survey of TLS Security
Introduction to and survey of TLS SecurityIntroduction to and survey of TLS Security
Introduction to and survey of TLS SecurityAaron Zauner
 
[IETF Part] BetterCrypto Workshop @ Hack.lu 2014
[IETF Part] BetterCrypto Workshop @ Hack.lu 2014[IETF Part] BetterCrypto Workshop @ Hack.lu 2014
[IETF Part] BetterCrypto Workshop @ Hack.lu 2014Aaron Zauner
 
[Attacks Part] BetterCrypto Workshop @ Hack.lu 2014
[Attacks Part] BetterCrypto Workshop @ Hack.lu 2014 [Attacks Part] BetterCrypto Workshop @ Hack.lu 2014
[Attacks Part] BetterCrypto Workshop @ Hack.lu 2014 Aaron Zauner
 
BetterCrypto: Applied Crypto Hardening
BetterCrypto: Applied Crypto HardeningBetterCrypto: Applied Crypto Hardening
BetterCrypto: Applied Crypto HardeningAaron Zauner
 
How to save the environment
How to save the environmentHow to save the environment
How to save the environmentAaron Zauner
 
Sc12 workshop-writeup
Sc12 workshop-writeupSc12 workshop-writeup
Sc12 workshop-writeupAaron Zauner
 

Mehr von Aaron Zauner (11)

Because "use urandom" isn't everything: a deep dive into CSPRNGs in Operating...
Because "use urandom" isn't everything: a deep dive into CSPRNGs in Operating...Because "use urandom" isn't everything: a deep dive into CSPRNGs in Operating...
Because "use urandom" isn't everything: a deep dive into CSPRNGs in Operating...
 
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...
 
Javascript Object Signing & Encryption
Javascript Object Signing & EncryptionJavascript Object Signing & Encryption
Javascript Object Signing & Encryption
 
Introduction to and survey of TLS security (BsidesHH 2014)
Introduction to and survey of TLS security (BsidesHH 2014)Introduction to and survey of TLS security (BsidesHH 2014)
Introduction to and survey of TLS security (BsidesHH 2014)
 
Beautiful Bash: Let's make reading and writing bash scripts fun again!
Beautiful Bash: Let's make reading and writing bash scripts fun again!Beautiful Bash: Let's make reading and writing bash scripts fun again!
Beautiful Bash: Let's make reading and writing bash scripts fun again!
 
Introduction to and survey of TLS Security
Introduction to and survey of TLS SecurityIntroduction to and survey of TLS Security
Introduction to and survey of TLS Security
 
[IETF Part] BetterCrypto Workshop @ Hack.lu 2014
[IETF Part] BetterCrypto Workshop @ Hack.lu 2014[IETF Part] BetterCrypto Workshop @ Hack.lu 2014
[IETF Part] BetterCrypto Workshop @ Hack.lu 2014
 
[Attacks Part] BetterCrypto Workshop @ Hack.lu 2014
[Attacks Part] BetterCrypto Workshop @ Hack.lu 2014 [Attacks Part] BetterCrypto Workshop @ Hack.lu 2014
[Attacks Part] BetterCrypto Workshop @ Hack.lu 2014
 
BetterCrypto: Applied Crypto Hardening
BetterCrypto: Applied Crypto HardeningBetterCrypto: Applied Crypto Hardening
BetterCrypto: Applied Crypto Hardening
 
How to save the environment
How to save the environmentHow to save the environment
How to save the environment
 
Sc12 workshop-writeup
Sc12 workshop-writeupSc12 workshop-writeup
Sc12 workshop-writeup
 

Kürzlich hochgeladen

Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Kürzlich hochgeladen (20)

Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 

Email Security Study Finds Widespread Issues

  • 1. State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner IETF93 Prague, Security Area Open Meeting - 23/07/2015
  • 3. Context § Joined SBA-Research in Janurary to help with an ongoing Internet-wide scanning project § We’ve conducted scans on e-mail related ports over the last couple of months § Currently digging through collected data and writing papers IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 1/12
  • 4. Targets and Methods § SMTP(S), POP3(S), IMAP(S) and Legacy Ports § masscan and sslyze with a queueing framework built around it § Delay between handshakes in sslyze added § some POP/IMAP daemons are easily DoSed § Runs spanning months (roughly from April to June) § About 9.2 billon TLS handshakes with sslyze § Multiple masscan runs for banners/certs § triggered dovecot bug (CVE-2015-3420) :) § initially discovered and investigated/reported upstream by Hanno Boeck IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 2/12
  • 5. Protocol Support IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 3/12
  • 6. RC4 Accepting RC4 Not accepting RC4 SMTPS 82,27 17,73 SMTP 86,27 13,73 IMAPS 83,36 16,64 IMAP 85,71 14,29 POP3S 83,74 16,26 POP3 86,51 13,49 Table : RC4 Cipher Support Percentage IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 4/12
  • 7. AUTH PLAIN offered by hosts SMTP (25) § 917,536 - AUTH PLAIN, no STARTTLS support § 1,722,387 - AUTH PLAIN & STARTTLS IMAP (143) § 211,962 - AUTH PLAIN, no STARTTLS support § 3,243,632 - AUTH PLAIN & STARTTLS POP3 (110) § 225,341 - AUTH PLAIN, no STARTTLS support § 3,391,525 AUTH PLAIN & STARTTLS IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 5/12
  • 8. Certificates ssc: signed certificate, ok: CA signed, local: unable to get local issuer certificate, ssc chain: self signed certificate in certificate chain (Mozilla Truststore) IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 6/12
  • 9. Certificates (cont.) SMTP and SMTPS § Almost all leafs >= 1024 bit RSA (most 2048) § Same for intermediates (fewer than 200 with less than 1024 bit RSA) POP3(S) and IMAP(S) § Very similar results, a few more low-bit leaf and intermediates. IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 7/12
  • 10. Weak ciphers and Anon-DH SMTP (STARTTLS) § RC2-CBC-MD5 - 40.9% accept (26.5% prefer!) § IDEA-CBC-MD5 - 14.4% accept SMTPS § Anon-DH suites: about 12% acceptance POP(S)/IMAP(S) § Nothing too exciting, ask me about details if you’re interested IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 8/12
  • 11. Key-exchange DH(E) § Large number of 512bit DH primes in SMTP § Sigificant amount of DH group size =< 1024 in all studied protocols ECDH(E) § Group size: most use 256, some 384, very few 521 throughout studied protocols Common Primes § Apache prime (Adrian et al ‘Weak-DH’ paper) not used § mod_ssl prime: some users, very few more on this topic TBD IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 9/12
  • 12. Weak Keys Analyzed 40,268,806 collected certificates. Rather unspecacular: Fast-GCD (Heninger et al. “Mining P’s & Q’s”, algo. by djb) § 30,757,242 RSA moduli § 2,354,090 uniques § 456 GCDs found Debian Weak-Keys (CVE-2008-0166) § Compared to openssl-blacklist package § A single (1) match IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 10/12
  • 13. Conclusion § First to conduct such a detailed study for E-Mail § A lot of issues with transport security in the e-mail ecosystem § Results are pretty much what we’ve expected beforehand § We’ll publish all collected datasets (soon-ish) § More studies, analysis and papers forthcoming § We have tons of additional data, if you have specific questions write us! IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 11/12
  • 14. Thanks for your patience. Are there any questions? Point of contact: abuse@sba-research.org IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 12/12