[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debcheckroot v2.0 released



Hi folks

You can now download the indicated program at https://www.elstel.org/atea/ and read some documentation at https://www.elstel.org/DANE/.

Kind Regards,
Elmar

Am 17.01.20 um 16:52 schrieb Elmar Stellnberger:
Hi Cindy Sue! Hi folks!

  I must confess there is little you can do about missing emails with debcheckroot. You can spot rootkits with hindsight but intelligence can also break in and go without leaving any trace. What would to my mind be necessary for a more secure email communication is a better penetration of DANE. Many CAs are known to issue rogue certificates to secret services so the public key is the only thing that may be trustworthy of a certificate. If that public key is signed and bound to a domain with DNSSEC (this is then called DANE) it shall be safe. I would guess that email dispatching was safe if encrypted and saved by DANE all the way to its target. F.i. it seems likely that intelligence just tries to halt email delivery if some suspicious email is in the queue until they have assessed what they wanna do about it. And it is questionable how those emails which seem to be sent successfully but which do not reach their target get lost.

   Something I as an end user can do about the emailing problem is to write and send my emails on a secure machine. If I am using webmail or an emailing program this requires to preconfigure certificates known to be safe and to only allow these. All CAs need to be disabled since the average user will never know which CAs issue rogue certificates. According to my knowledge any simple web page invocation immediately results in a cracked system if it is using a spoofed certificate which can not be excluded for any simple web search. Luckily my hoster provides DANE for the machines used for email delivery, webmailing and my website configuration panel. And I am still using a Debian 8 read only stick to boot such a secure system.

   Why the hell Debian 8? Isn`t that insecure? I believe it isn`t as long as I only visit these two web pages of my hoster. Unfortunately newer versions of Firefox have a special implementation for so called HSTS (http strict transport security) certificates. You can not add a security exception for such a certificate but you need to configure all dependent certification authorities for such a certificate. However with the first CA you acknowledge you compromise your system`s security. Older versions of Firefox did not have this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1606802

  I am currently looking forward to test which versions of Debian 9 would work. Firefox from Debian 10 does no more work. If you have good luck your webmailing server supports DANE but does not use HSTS. Then you can use a current Debian. With Debian 8 you simply need to delete libnssckbi.so from libnss3 to disable all default CAs. You can not delete them by hand. If you do you need to mark every singleton CA but that does not prevent all deleted CAs to reappear a second after you have deleted them. That is why you needed to delete the .so. With newer versions of Firefox deleting libnssckbi.so does not stay without side effects: You can then not acknowledge security exceptions by hand any more. I have written a script to do that automatically though and I am likely to publish it at https://www.elstel.org/DANE/ in the future if sufficient interest is given in the issue. Once I know the last good Firefox version I could also approach to resolve the bug from above for newer Firefox versions. Unfortunately Dana Keeler has given this bug a resolved invalid so that it is unsure whether they would accept the bugfix upstreams. According to Dana`s comments the bug should in deed be marked as WONTFIX. That would be correct. If you like vote or comment for/on this bug.

Elmar


Am 17.01.20 um 14:29 schrieb Cindy Sue Causey:
On 11/27/19, Elmar Stellnberger <estellnb@gmail.com> wrote:
Am 25.11.19 um 12:35 schrieb Patrick Schleizer:
Yes, forget about NSA and alike. Let's not assume quasi-omnipotent
attackers. That leads to defeatist mindset which isn't productive.
    I would not let myself be defeated easily. Who has thought about
emails in your inbox which are deleted before you can see them? Easily
doable. They would just need to know your password. Or about outgoing
emails which do not reach their target. As far as I have learnt to know
it you can see them in the sent folder but they never appear on the
other side, not even in the spam-box. The worse thing is however if
someone wants to contact you and you do not even know about it, the
other one just thinking you did not reply.

There have been two situations that, no, I can't name just this
second, so this is anecdotal material *until I stumble back upon* the
very real cases, BUT...

Twice in the last maybe six months, there has been chatter about the
receiving end's server(s) stopping the flow of incoming emails for
unknown reasons. The occurrences were purely "glitches", NOT on
purpose. It was either machine failure or accidentally
Human-instigated mis-code or something that provoked the situations.

End users found out when a sudden flood of sometimes OLD email
suddenly hit their email inboxes. The last one was just in last few
weeks. If and when I re-encounter that information, I'll post for
posterity. :)

As for the once formerly viewed and then now missing emails, been
there, done there. Things being what they are in my own #Life, I've
most definitely... "wondered" how the emails "disappeared" when they
are NOT something I would have EVER deleted. It affects very few, less
than a handful of correspondences.

Sanity is found in realizing I have a VERY LARGE inbox.. and I'm
surely just not using the right words for my queries. I've convinced
myself that I'm using words that convey the same thoughts as the
original messages but are not a search string-friendly match for the
specific words that were originally written. :)

Cindy :)


Reply to: