SlideShare ist ein Scribd-Unternehmen logo

Email Security Study Finds Widespread Issues

Aaron Zauner
Aaron Zauner

IETF93

Technologie
1 von 14
Downloaden Sie, um offline zu lesen
State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner IETF93 Prague, Security Area Open Meeting - 23/07/2015
Overview Results Conclusion
Context § Joined SBA-Research in Janurary to help with an ongoing Internet-wide scanning project § We’ve conducted scans on e-mail related ports over the last couple of months § Currently digging through collected data and writing papers IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 1/12
Targets and Methods § SMTP(S), POP3(S), IMAP(S) and Legacy Ports § masscan and sslyze with a queueing framework built around it § Delay between handshakes in sslyze added § some POP/IMAP daemons are easily DoSed § Runs spanning months (roughly from April to June) § About 9.2 billon TLS handshakes with sslyze § Multiple masscan runs for banners/certs § triggered dovecot bug (CVE-2015-3420) :) § initially discovered and investigated/reported upstream by Hanno Boeck IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 2/12
Protocol Support IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 3/12
RC4 Accepting RC4 Not accepting RC4 SMTPS 82,27 17,73 SMTP 86,27 13,73 IMAPS 83,36 16,64 IMAP 85,71 14,29 POP3S 83,74 16,26 POP3 86,51 13,49 Table : RC4 Cipher Support Percentage IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 4/12
AUTH PLAIN offered by hosts SMTP (25) § 917,536 - AUTH PLAIN, no STARTTLS support § 1,722,387 - AUTH PLAIN & STARTTLS IMAP (143) § 211,962 - AUTH PLAIN, no STARTTLS support § 3,243,632 - AUTH PLAIN & STARTTLS POP3 (110) § 225,341 - AUTH PLAIN, no STARTTLS support § 3,391,525 AUTH PLAIN & STARTTLS IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 5/12
Certificates ssc: signed certificate, ok: CA signed, local: unable to get local issuer certificate, ssc chain: self signed certificate in certificate chain (Mozilla Truststore) IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 6/12
Certificates (cont.) SMTP and SMTPS § Almost all leafs >= 1024 bit RSA (most 2048) § Same for intermediates (fewer than 200 with less than 1024 bit RSA) POP3(S) and IMAP(S) § Very similar results, a few more low-bit leaf and intermediates. IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 7/12
Weak ciphers and Anon-DH SMTP (STARTTLS) § RC2-CBC-MD5 - 40.9% accept (26.5% prefer!) § IDEA-CBC-MD5 - 14.4% accept SMTPS § Anon-DH suites: about 12% acceptance POP(S)/IMAP(S) § Nothing too exciting, ask me about details if you’re interested IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 8/12
Key-exchange DH(E) § Large number of 512bit DH primes in SMTP § Sigificant amount of DH group size =< 1024 in all studied protocols ECDH(E) § Group size: most use 256, some 384, very few 521 throughout studied protocols Common Primes § Apache prime (Adrian et al ‘Weak-DH’ paper) not used § mod_ssl prime: some users, very few more on this topic TBD IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 9/12
Weak Keys Analyzed 40,268,806 collected certificates. Rather unspecacular: Fast-GCD (Heninger et al. “Mining P’s & Q’s”, algo. by djb) § 30,757,242 RSA moduli § 2,354,090 uniques § 456 GCDs found Debian Weak-Keys (CVE-2008-0166) § Compared to openssl-blacklist package § A single (1) match IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 10/12
Conclusion § First to conduct such a detailed study for E-Mail § A lot of issues with transport security in the e-mail ecosystem § Results are pretty much what we’ve expected beforehand § We’ll publish all collected datasets (soon-ish) § More studies, analysis and papers forthcoming § We have tons of additional data, if you have specific questions write us! IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 11/12
Thanks for your patience. Are there any questions? Point of contact: abuse@sba-research.org IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 12/12

Empfohlen

No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...
No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...
No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...Aaron Zauner
 
Introduction to and survey of TLS Security
Introduction to and survey of TLS SecurityIntroduction to and survey of TLS Security
Introduction to and survey of TLS SecurityAaron Zauner
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
05 06 ike
05 06 ike05 06 ike
05 06 ikeBabaa Naya
 
DANE-based TLS verification in the SIP protocol (v 2)
DANE-based TLS verification in the SIP protocol (v 2)DANE-based TLS verification in the SIP protocol (v 2)
DANE-based TLS verification in the SIP protocol (v 2)Olle E Johansson
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorPositive Hack Days
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer securityMaarten Smeets
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesJaroslavChmurny
 

Empfohlen

No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...
No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...
No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...Aaron Zauner
 
Introduction to and survey of TLS Security
Introduction to and survey of TLS SecurityIntroduction to and survey of TLS Security
Introduction to and survey of TLS SecurityAaron Zauner
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
05 06 ike
05 06 ike05 06 ike
05 06 ikeBabaa Naya
 
DANE-based TLS verification in the SIP protocol (v 2)
DANE-based TLS verification in the SIP protocol (v 2)DANE-based TLS verification in the SIP protocol (v 2)
DANE-based TLS verification in the SIP protocol (v 2)Olle E Johansson
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorPositive Hack Days
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer securityMaarten Smeets
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesJaroslavChmurny
 
Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3vpnmentor
 
Networking Task
Networking Task Networking Task
Networking Task Nicole Gaehle, MSIST
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaWardner Maia
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
 
How broken is TLS?
How broken is TLS?How broken is TLS?
How broken is TLS?hannob
 
TLS Perf: from three to zero in one spec
TLS Perf: from three to zero in one specTLS Perf: from three to zero in one spec
TLS Perf: from three to zero in one specNatasha Rooney
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
 
Tunneling vpn security and implementation
Tunneling vpn security and implementationTunneling vpn security and implementation
Tunneling vpn security and implementationMohibullah Saail
 
Tunneling
TunnelingTunneling
TunnelingIlan Mindel
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule WritingCisco DevNet
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLSDr Anjan Krishnamurthy
 
TLS: Past, Present, Future
TLS: Past, Present, FutureTLS: Past, Present, Future
TLS: Past, Present, Futurevpnmentor
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиPositive Hack Days
 
Death of Web App Firewall
Death of Web App FirewallDeath of Web App Firewall
Death of Web App FirewallBrian A. McHenry
 
Death of WAF - GoSec '15
Death of WAF - GoSec '15Death of WAF - GoSec '15
Death of WAF - GoSec '15Brian A. McHenry
 
TLS
TLSTLS
TLSDaniel Stenberg
 
Introduction to SSH & PGP
Introduction to SSH & PGPIntroduction to SSH & PGP
Introduction to SSH & PGPSarang Ananda Rao
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer SecurityHuda Seyam
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsAFRINIC
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasJean-Baptiste Trystram
 
6222019 Originality Reporthttpsblackboard.nec.eduweb.docx
6222019 Originality Reporthttpsblackboard.nec.eduweb.docx6222019 Originality Reporthttpsblackboard.nec.eduweb.docx
6222019 Originality Reporthttpsblackboard.nec.eduweb.docxtroutmanboris
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?Microsoft
 

Weitere ähnliche Inhalte

Was ist angesagt?

Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3vpnmentor
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaWardner Maia
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
 
How broken is TLS?
How broken is TLS?How broken is TLS?
How broken is TLS?hannob
 
TLS Perf: from three to zero in one spec
TLS Perf: from three to zero in one specTLS Perf: from three to zero in one spec
TLS Perf: from three to zero in one specNatasha Rooney
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
 
Tunneling vpn security and implementation
Tunneling vpn security and implementationTunneling vpn security and implementation
Tunneling vpn security and implementationMohibullah Saail
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule WritingCisco DevNet
 
TLS: Past, Present, Future
TLS: Past, Present, FutureTLS: Past, Present, Future
TLS: Past, Present, Futurevpnmentor
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиPositive Hack Days
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer SecurityHuda Seyam
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsAFRINIC
 

Was ist angesagt? (20)

Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3
 
Networking Task
Networking Task Networking Task
Networking Task
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
 
How broken is TLS?
How broken is TLS?How broken is TLS?
How broken is TLS?
 
TLS Perf: from three to zero in one spec
TLS Perf: from three to zero in one specTLS Perf: from three to zero in one spec
TLS Perf: from three to zero in one spec
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
 
Tunneling vpn security and implementation
Tunneling vpn security and implementationTunneling vpn security and implementation
Tunneling vpn security and implementation
 
Tunneling
TunnelingTunneling
Tunneling
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule Writing
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
TLS: Past, Present, Future
TLS: Past, Present, FutureTLS: Past, Present, Future
TLS: Past, Present, Future
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атаки
 
Death of Web App Firewall
Death of Web App FirewallDeath of Web App Firewall
Death of Web App Firewall
 
Death of WAF - GoSec '15
Death of WAF - GoSec '15Death of WAF - GoSec '15
Death of WAF - GoSec '15
 
TLS
TLSTLS
TLS
 
Introduction to SSH & PGP
Introduction to SSH & PGPIntroduction to SSH & PGP
Introduction to SSH & PGP
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defs
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
 

Ähnlich wie Email Security Study Finds Widespread Issues

6222019 Originality Reporthttpsblackboard.nec.eduweb.docx
6222019 Originality Reporthttpsblackboard.nec.eduweb.docx6222019 Originality Reporthttpsblackboard.nec.eduweb.docx
6222019 Originality Reporthttpsblackboard.nec.eduweb.docxtroutmanboris
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?Microsoft
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...Andrejs Vorobjovs
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureBrian Ritchie
 
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderHSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderSplend
 
How to Gain Visibility into Encrypted Threats
How to Gain Visibility into Encrypted ThreatsHow to Gain Visibility into Encrypted Threats
How to Gain Visibility into Encrypted ThreatsShain Singh
 
Sử dụng TLS đúng cách - Phạm Tùng Dương
Sử dụng TLS đúng cách - Phạm Tùng DươngSử dụng TLS đúng cách - Phạm Tùng Dương
Sử dụng TLS đúng cách - Phạm Tùng DươngSecurity Bootcamp
 
Oracle Database: Checklist Connection Issues
Oracle Database: Checklist Connection IssuesOracle Database: Checklist Connection Issues
Oracle Database: Checklist Connection IssuesMarkus Flechtner
 
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...APNIC
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat Security Conference
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019James Bromberger
 
IR-Optimising-Your-Network.pdf
IR-Optimising-Your-Network.pdfIR-Optimising-Your-Network.pdf
IR-Optimising-Your-Network.pdfChandanPrajwal
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser NetwrokingShuya Osaki
 
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSesSSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSesTiago Mendo
 
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3Adel Karimi
 

Ähnlich wie Email Security Study Finds Widespread Issues (20)

6222019 Originality Reporthttpsblackboard.nec.eduweb.docx
6222019 Originality Reporthttpsblackboard.nec.eduweb.docx6222019 Originality Reporthttpsblackboard.nec.eduweb.docx
6222019 Originality Reporthttpsblackboard.nec.eduweb.docx
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
 
Let's Encrypt + DANE
Let's Encrypt + DANELet's Encrypt + DANE
Let's Encrypt + DANE
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & Secure
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLS
 
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderHSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
 
How to Gain Visibility into Encrypted Threats
How to Gain Visibility into Encrypted ThreatsHow to Gain Visibility into Encrypted Threats
How to Gain Visibility into Encrypted Threats
 
Sử dụng TLS đúng cách - Phạm Tùng Dương
Sử dụng TLS đúng cách - Phạm Tùng DươngSử dụng TLS đúng cách - Phạm Tùng Dương
Sử dụng TLS đúng cách - Phạm Tùng Dương
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
 
Oracle Database: Checklist Connection Issues
Oracle Database: Checklist Connection IssuesOracle Database: Checklist Connection Issues
Oracle Database: Checklist Connection Issues
 
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
 
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
 
HTTPS @Scale
HTTPS @ScaleHTTPS @Scale
HTTPS @Scale
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019
 
IR-Optimising-Your-Network.pdf
IR-Optimising-Your-Network.pdfIR-Optimising-Your-Network.pdf
IR-Optimising-Your-Network.pdf
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser Netwroking
 
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSesSSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
 
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
honeyTLS - Profiling and Clustering Internet-wide SSL/TLS Scans with JA3
 

Mehr von Aaron Zauner

Because "use urandom" isn't everything: a deep dive into CSPRNGs in Operating...
Because "use urandom" isn't everything: a deep dive into CSPRNGs in Operating...Because "use urandom" isn't everything: a deep dive into CSPRNGs in Operating...
Because "use urandom" isn't everything: a deep dive into CSPRNGs in Operating...Aaron Zauner
 
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...Aaron Zauner
 
Javascript Object Signing & Encryption
Javascript Object Signing & EncryptionJavascript Object Signing & Encryption
Javascript Object Signing & EncryptionAaron Zauner
 
Introduction to and survey of TLS security (BsidesHH 2014)
Introduction to and survey of TLS security (BsidesHH 2014)Introduction to and survey of TLS security (BsidesHH 2014)
Introduction to and survey of TLS security (BsidesHH 2014)Aaron Zauner
 
Beautiful Bash: Let's make reading and writing bash scripts fun again!
Beautiful Bash: Let's make reading and writing bash scripts fun again!Beautiful Bash: Let's make reading and writing bash scripts fun again!
Beautiful Bash: Let's make reading and writing bash scripts fun again!Aaron Zauner
 
Introduction to and survey of TLS Security
Introduction to and survey of TLS SecurityIntroduction to and survey of TLS Security
Introduction to and survey of TLS SecurityAaron Zauner
 
[IETF Part] BetterCrypto Workshop @ Hack.lu 2014
[IETF Part] BetterCrypto Workshop @ Hack.lu 2014[IETF Part] BetterCrypto Workshop @ Hack.lu 2014
[IETF Part] BetterCrypto Workshop @ Hack.lu 2014Aaron Zauner
 
[Attacks Part] BetterCrypto Workshop @ Hack.lu 2014
[Attacks Part] BetterCrypto Workshop @ Hack.lu 2014 [Attacks Part] BetterCrypto Workshop @ Hack.lu 2014
[Attacks Part] BetterCrypto Workshop @ Hack.lu 2014 Aaron Zauner
 
BetterCrypto: Applied Crypto Hardening
BetterCrypto: Applied Crypto HardeningBetterCrypto: Applied Crypto Hardening
BetterCrypto: Applied Crypto HardeningAaron Zauner
 
How to save the environment
How to save the environmentHow to save the environment
How to save the environmentAaron Zauner
 
Sc12 workshop-writeup
Sc12 workshop-writeupSc12 workshop-writeup
Sc12 workshop-writeupAaron Zauner
 

Mehr von Aaron Zauner (11)

Because "use urandom" isn't everything: a deep dive into CSPRNGs in Operating...
Because "use urandom" isn't everything: a deep dive into CSPRNGs in Operating...Because "use urandom" isn't everything: a deep dive into CSPRNGs in Operating...
Because "use urandom" isn't everything: a deep dive into CSPRNGs in Operating...
 
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...
 
Javascript Object Signing & Encryption
Javascript Object Signing & EncryptionJavascript Object Signing & Encryption
Javascript Object Signing & Encryption
 
Introduction to and survey of TLS security (BsidesHH 2014)
Introduction to and survey of TLS security (BsidesHH 2014)Introduction to and survey of TLS security (BsidesHH 2014)
Introduction to and survey of TLS security (BsidesHH 2014)
 
Beautiful Bash: Let's make reading and writing bash scripts fun again!
Beautiful Bash: Let's make reading and writing bash scripts fun again!Beautiful Bash: Let's make reading and writing bash scripts fun again!
Beautiful Bash: Let's make reading and writing bash scripts fun again!
 
Introduction to and survey of TLS Security
Introduction to and survey of TLS SecurityIntroduction to and survey of TLS Security
Introduction to and survey of TLS Security
 
[IETF Part] BetterCrypto Workshop @ Hack.lu 2014
[IETF Part] BetterCrypto Workshop @ Hack.lu 2014[IETF Part] BetterCrypto Workshop @ Hack.lu 2014
[IETF Part] BetterCrypto Workshop @ Hack.lu 2014
 
[Attacks Part] BetterCrypto Workshop @ Hack.lu 2014
[Attacks Part] BetterCrypto Workshop @ Hack.lu 2014 [Attacks Part] BetterCrypto Workshop @ Hack.lu 2014
[Attacks Part] BetterCrypto Workshop @ Hack.lu 2014
 
BetterCrypto: Applied Crypto Hardening
BetterCrypto: Applied Crypto HardeningBetterCrypto: Applied Crypto Hardening
BetterCrypto: Applied Crypto Hardening
 
How to save the environment
How to save the environmentHow to save the environment
How to save the environment
 
Sc12 workshop-writeup
Sc12 workshop-writeupSc12 workshop-writeup
Sc12 workshop-writeup
 

Kürzlich hochgeladen

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 

Kürzlich hochgeladen (20)

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 

Email Security Study Finds Widespread Issues

  • 1. State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner IETF93 Prague, Security Area Open Meeting - 23/07/2015
  • 3. Context § Joined SBA-Research in Janurary to help with an ongoing Internet-wide scanning project § We’ve conducted scans on e-mail related ports over the last couple of months § Currently digging through collected data and writing papers IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 1/12
  • 4. Targets and Methods § SMTP(S), POP3(S), IMAP(S) and Legacy Ports § masscan and sslyze with a queueing framework built around it § Delay between handshakes in sslyze added § some POP/IMAP daemons are easily DoSed § Runs spanning months (roughly from April to June) § About 9.2 billon TLS handshakes with sslyze § Multiple masscan runs for banners/certs § triggered dovecot bug (CVE-2015-3420) :) § initially discovered and investigated/reported upstream by Hanno Boeck IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 2/12
  • 5. Protocol Support IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 3/12
  • 6. RC4 Accepting RC4 Not accepting RC4 SMTPS 82,27 17,73 SMTP 86,27 13,73 IMAPS 83,36 16,64 IMAP 85,71 14,29 POP3S 83,74 16,26 POP3 86,51 13,49 Table : RC4 Cipher Support Percentage IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 4/12
  • 7. AUTH PLAIN offered by hosts SMTP (25) § 917,536 - AUTH PLAIN, no STARTTLS support § 1,722,387 - AUTH PLAIN & STARTTLS IMAP (143) § 211,962 - AUTH PLAIN, no STARTTLS support § 3,243,632 - AUTH PLAIN & STARTTLS POP3 (110) § 225,341 - AUTH PLAIN, no STARTTLS support § 3,391,525 AUTH PLAIN & STARTTLS IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 5/12
  • 8. Certificates ssc: signed certificate, ok: CA signed, local: unable to get local issuer certificate, ssc chain: self signed certificate in certificate chain (Mozilla Truststore) IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 6/12
  • 9. Certificates (cont.) SMTP and SMTPS § Almost all leafs >= 1024 bit RSA (most 2048) § Same for intermediates (fewer than 200 with less than 1024 bit RSA) POP3(S) and IMAP(S) § Very similar results, a few more low-bit leaf and intermediates. IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 7/12
  • 10. Weak ciphers and Anon-DH SMTP (STARTTLS) § RC2-CBC-MD5 - 40.9% accept (26.5% prefer!) § IDEA-CBC-MD5 - 14.4% accept SMTPS § Anon-DH suites: about 12% acceptance POP(S)/IMAP(S) § Nothing too exciting, ask me about details if you’re interested IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 8/12
  • 11. Key-exchange DH(E) § Large number of 512bit DH primes in SMTP § Sigificant amount of DH group size =< 1024 in all studied protocols ECDH(E) § Group size: most use 256, some 384, very few 521 throughout studied protocols Common Primes § Apache prime (Adrian et al ‘Weak-DH’ paper) not used § mod_ssl prime: some users, very few more on this topic TBD IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 9/12
  • 12. Weak Keys Analyzed 40,268,806 collected certificates. Rather unspecacular: Fast-GCD (Heninger et al. “Mining P’s & Q’s”, algo. by djb) § 30,757,242 RSA moduli § 2,354,090 uniques § 456 GCDs found Debian Weak-Keys (CVE-2008-0166) § Compared to openssl-blacklist package § A single (1) match IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 10/12
  • 13. Conclusion § First to conduct such a detailed study for E-Mail § A lot of issues with transport security in the e-mail ecosystem § Results are pretty much what we’ve expected beforehand § We’ll publish all collected datasets (soon-ish) § More studies, analysis and papers forthcoming § We have tons of additional data, if you have specific questions write us! IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 11/12
  • 14. Thanks for your patience. Are there any questions? Point of contact: abuse@sba-research.org IETF93 Prague, Security Area Open Meeting - 23/07/2015 State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner 12/12