Arnt
2 days ago
I switched to letsencrypt certs for my imap server. Works well, IMO better than the self-signed ones I used before.
hedora
a day ago
That adds a lot of attack surface vs. issuing a self-signed cert and confirming it was securely verified by your imap client.
Not only could let’s encrypt issue a mitm cert for your imap connections, so could other CAs, and any cloud providers / dns providers you use.
kelnos
a day ago
Pretty sure most people's threat model doesn't really care about the scenarios you mention. And for most people, that's fine.
ho_schi
a day ago
A threat model which people using self-signed certificates especially care about.
The idea of certificate authorities, certificate chains and intermediary certificates is common - and based on top down security. That is the reason why it is so dangerous. There is a “lock” and people believe everything is “good” but actually DigiNotar, TurkTrust or the bad government issued a certificate. Google tried more than once to improve the situation but I think they just told Chrome only to accept their actual certificates for their services?
Messenger apps like Signal show how it should be done, the user itself checks and accept. Cameras and QR-codes made it easy. SSHs ASCII fingerprints are a nice thing, too.
PS: Yep. You shall look at the fingerprint of your chat partners in any messenger app.
crote
a day ago
But if you distrust the entire PKI ecosystem, how are you intending to use your email server?
If someone is trying to send you an email, their admin definitely isn't going to set up an in-person meeting with you to exchange certificate signatures. Their server is either going to accept any certificate (which means MitM is trivial), or they're going to verify it against PKI (which you don't use because you don't trust it) and abort the connection upon seeing a self-signed certificate.
It's the same if you're sending a reply back: if you're not willing to trust PKI, your server has no way of verifying the recipient's server's identity. You don't trust PKI, and they are not going to manually exchange signatures, so your options are either not sending email at all, or accepting that it is MitMed.
So you're left with a threat model where your adversary is able to fake PKI certificates (so they are nation-state sized) and they are able to MitM the connection from your server to your client - but they are not able to MitM the connection from your server to a third party's server. Call me naive, but I highly doubt such an attacker exists.
appendix-rock
a day ago
The answer to this is that anyone that’s thinking in this way is already so elbow deep in security fetishism that real-world implications have long stopped mattering.
gjadi
16 hours ago
IMAP is for reading your emails not sending, that means you could accept PKI for SMTP to communicate with untrustworthy clients, but want to ensure that your access to your emails are safe(r).
actionfromafar
a day ago
There are or were two kinds of people using self-signed certificates. The vast majority used to be "I don't know how or can't afford to get a certificate chain cert."
Now, with letsencrypt, what's left of the "can't afford group" is "I can't be arsed to update my config yet".
outofpaper
a day ago
Just because many people using self-signed certs are at the "don't know" stage isn't a reason to invalidate them.
actionfromafar
a day ago
For IMAP, I'm one of them! :-D
xg15
a day ago
I love how the entire free PKI ecosystem is now relying on one single company.
nucleardog
21 hours ago
It’s not. There’s LetsEncrypt, ZeroSSL, BuyPass, SSL.com, and Google Trust Services[0]. The ACME protocol is standardized and you can point your client at any of these at any time, and other providers can begin providing certificates at any time. Some tooling[1] even uses other providers by default.
[0] https://acmeclients.com/certificate-authorities/ [1] https://github.com/acmesh-official/acme.sh/wiki/Change-defau...
compsciphd
a day ago
why use a self signed certificate, why not create your own signer cert install that into IOS and then its no longer a "self signed" cert, but just a private cert org.
IOS does allow you to install private signer certs, right? (right?)
ehhthing
a day ago
iOS never supported this configuration regardless, a change in SSL certificate does not cause any kind of notification to the user.
Also, you're basically objecting to the entire idea of PKI for use in IMAP which is incredibly hard to justify. Perhaps you wish to use a different model for your own personal reasons but the default being PKI should not be controversial, and if you want to use your own model you should use a different mail client.
detourdog
a day ago
It did support it. One had to trust the certificate manually. I gave up on self-signed cents about 6 years ago.
AlphaCharlie
a day ago
How does a self signed cert protect you from MITm if the iPhone will accept any signed certificate thereafter? There’s no cert pinning AFAIK in imaps.
xg15
a day ago
You'd have to manually trust the MITM cert again? Which you certainly would not do as you know you didn't create a new self-signed cert in that moment.
commandersaki
a day ago
Uh what is a mitm cert? You're the custodian of the private key associated with the certificate, not LetsEncrypt.
And any CA can generate a certificate to MITM anything. That's why it's pretty much a requirement to submit all certs issued to Certificate Transparency, and if you're found to be misbehaving expect to receive ire from CA/B.
beeflet
a day ago
why should I require some third party's permission to do encryption between one of my computers and another one of my computers?
jchw
a day ago
The whole system and everything built on it that underlies trust in encryption on the modern Internet is designed in a way that requires parties called certificate authorities. That's just the design, since it was largely designed for two unrelated people to establish secure communication.
Clearly, it is not required to use a third party. First of all, you can sign your own cert using itself, then verify it manually. However, this is not the trust model that most Internet software uses. That model is closer to what SSH does, sometimes called TOFU (Trust On First Use). The model that is intended is for the certificate chain to be verified back to a trust root (ignoring other wrinkles.) There's really no particular reason why self-signed certificates must be supported.
Note that I don't think this makes the bug report invalid. It seems like a regression that is not intentional. However, the important point is that a third party still isn't needed to use the system as intended. You can, in fact, issue your own CA certificates, trust them on your devices, and then use those to sign your own certificates, making yourself the authority. This will work even on iOS as far as I know, and it follows the typical trust model so software should handle it as expected (though apps that use certificate pinning or bundle the Mozilla CA certificates statically instead of using the operating system's trust store may not work, but by and large it works.)
Personally, I just use Let's Encrypt. That way other people can establish a "secure" connection to my devices, too.
kelnos
a day ago
You shouldn't, and (this iOS bug aside) you don't, in general. But you're going to run into less friction if you do it the "blessed" way. That's just life.
darkhorn
a day ago
There are many other questions to ask until you come to this question. One of them is; why iOS doesn't let me play my own mp3s?
scarface_74
a day ago
You can, you just have to use iTunes from your computer like it’s 2003 to add it to your music library.
fragmede
a day ago
It's not being required. just that the thread is about Let's Encrypt which ostensibly easier than setting up your own CA and distributing the root certificates to your devices. Which isn't too difficult but given how many people apparently use self-signed certificates, it's a bit high a bar.
kijin
a day ago
Because you chose to use a program that doesn't accept self-signed certificates. Use a different program or a different computer that actually respects your freedom to tinker with it. Problem solved.
DidYaWipe
a day ago
No. He noted that it's a REGRESSION. So he chose one that DID accept them.
Running away from defects doesn't get them fixed.
Arnt
a day ago
Self-signed certs were a defect — people were used to just click OK and blackhats exploited that.
OP wants support for the special case where only the cert issuer trusts the cert (he has his own self-signed cert). Apple and others do support that: You make a private CA, trust that CA in the device, and then use that CA to sign certs for your IMAP server. IIRC (and this is from vague memory) you may need to configure yourself to be a company that manages employees' devices.
kortilla
a day ago
> Uh what is a mitm cert? You're the custodian of the private key associated with the certificate, not LetsEncrypt.
Don’t be obtuse. Letsencrypt and every other trusted CA has the ability to issue new certs for any domain at any time without you knowing.
There is absolutely no requirement to submit these to Certificate Transparency. That’s a thing some browsers do, but not most mail clients.
If you don’t trust the root CAs at all and only trust your self signed cert or only trust another signing cert you control, then a mitm isn’t possible without getting your private signing cert keys.
nucleardog
21 hours ago
Not that it removes you entirely from the PKI ecosystem as you seem to desire, but in case you’re not aware since 2017 CAs are required to check and honour the CAA DNS records you set. These specify which CAs are allowed to issue certificates for your domain.
If any CA issues a certificate anyway, they’re in violation of requirement 3.2.2.8. Don’t know what you’re up to, but I have to imagine it would have to be pretty interesting to someone for one of those companies to face down an existential threat and misissue a certificate for your domain.
commandersaki
a day ago
> Don’t be obtuse. Letsencrypt and every other trusted CA has the ability to issue new certs for any domain at any time without you knowing.
You shouldn't use words you don't understand. I already pointed this out.
> There is absolutely no requirement to submit these to Certificate Transparency. That’s a thing some browsers do, but not most mail clients.
If you want to be in Chrome bundle or Safari/Mac bundle you need to submit to at least one approved CT log. If you're found misbehaving or issuing non compliant certificates, expect ire from CA/B and potential ejection from certificate trust stores. This has happened quite a number of times, and CAs in the WebPKI trust are highly unlikely to issue a MITM certificate.
ThePowerOfFuet
17 hours ago
https://letsencrypt.org/docs/caa/
Not enough? Account binding.
https://community.letsencrypt.org/t/enabling-acme-caa-accoun...
ytch
2 days ago
ACME DNS-01 Challenge doesn't need a public resolvable and reachable host, it just sets a temporary DNS record to verify.
mmd45
2 days ago
I'm using a private ip over a vpn so I don't think that workaround will work for me. I don't really want a public dns record.
cpach
2 days ago
If so, then you might want to mint your own root certificate and then import it to your iPhone.
Arnt
2 days ago
LE will issue you a wildcard certificate and it's usable for mail.
mmd45
2 days ago
i'm just using a hardcoded private ip to connect to the imap server. are you saying i can get a certificate with a hostname of "*" that will match ANY ip address?
oneplane
2 days ago
No, but you could use DNS for that internal IP. And then you'd have a hostname. Since your IMAP server likely has some way of getting external mail, it is likely that you have a DNS zone and MX records, so adding an A record for your internal IMAP access isn't that much of an effort compared to what you already would have.
If you have mmd45.com as a domain and have MX records pointing to your mail server, adding imap.mmd45.com pointing to your IMAP server should be fairly simple. Getting a Let's Encrypt certificate for *.mmd45.com is all that remains for the TLS part with a valid CA chain. As a bonus you can then also use encrypted SMTP.
mmd45
2 days ago
unfortunately none of that applies to my setup. my imap server lives in a dmz and doesn't have all that other jazz.
nucleardog
a day ago
Mine too. It does apply.
Seems to be a safe assumption you have a domain since you're receiving mail.
Go run something like certbot[0] on your mail server. It has plugins to integrate with various DNS providers. (This is who is hosting the zone where you map domains to IPs, not necessarily where you registered the domain.) If they don't have a plugin for your host, you could look at moving the zone (e.g., CloudFlare is free for something like this, Route53 is <$1/mo) or finding another tool that does support it[1].
No external IPs involved anywhere and you can get valid, trusted SSL certificates for your domain. Set up the auto-renewal (in essentially all cases, add something to crontab), and it'll periodically dump new certificates to disk for you so you never need to think about the certificates again.
If you don't even want anyone to know that there's a "imap.mmd45.com" in existence _somewhere_ in the world, you can issue a certificate for `*.mmd45.com` and it will cover any direct subdomains.
Now you actually need to _connect_ to your mailserver with some sort of hostname rather than IP. For desktop devices and stuff, you could just throw this in /etc/hosts if you wanted. Some VPN/VPN-adjacent tools have ways to push mappings like that. Basically all of them have a way to override the DNS server in use if you were willing to run your own DNS server on the same host that has your mailserver. You can also just create a public record mapping imap.mmd45.com to 10.1.2.3.
[0] https://eff-certbot.readthedocs.io/en/latest/ [1] https://letsencrypt.org/docs/client-options/
0x457
2 days ago
Only thing required for this setup to work: client needs to be able to resolve domain to internal ip.
I have wireguard mesh with a bunch of services that use LE for TLS that have no access to interwebs and not accessible from interwebs.
mschuster91
a day ago
> Only thing required for this setup to work: client needs to be able to resolve domain to internal ip.
It does not. Use DNS validation, that way you can issue LE certs for individual domains as well as wildcard certificates without needing to expose anything anywhere other than a CNAME record for the validation.
mmd45
2 days ago
how are you renewing the LE certificate if the domain is resolving to an internal ip? this seems like a big hoop to jump through.
ninkendo
a day ago
LE can use DNS itself as the challenge. It works something like:
- You manage the mmd45.me domain (through a dns provider, say dnsimple)
- You ask LE for a cert for imap.lan.mmd45.me (an address that doesn’t exist, but you use in /etc/hosts or something internally. Or maybe an internal dns server like a pihole or something. The rest of the internet doesn’t see this address)
- LE says “prove you own lan.mmd45.me by creating a TXT record containing <random-nonce> inside _acme-challenge.lan.mmd45.me”
- Certbot integrates with your DNS provider to create said TXT record
- LE sees the TXT record and determines you are the owner, and signs your cert. At this point certbot can just delete _acme-challenge.lan.mmd45.me because it did its job.
At no point does mail.lan.mmd45.me need to be externally resolvable to any address for this to work.
Arnt
2 days ago
LE doesn't need any A or AAAA record. The domain must exist in the DNS and you must be able to create records in the domain.
If you're using internet mail you have a domain, so you can do this. The time for self-signed certificates has passed.
kortilla
a day ago
A pinned self cert is still more secure than this because you don’t have to trust any CAs.
> The time for self-signed certificates has passed.
This is bad blanket advice and very much depends on use-case.
Arnt
a day ago
Software is a collective. A billion or so people get the same software. The time for self-signed certs has passed because supporting that in software for a billion people opens up some of that billion to attack.
The few people who understand the niceties of certs can create a private CA, trust that, and use that CA to sign a regular cert. Doing that is nontrivial, but it doesn't put other people at risk.
greyface-
2 days ago
Spivak
2 days ago
This can still work imap.mydomain.com resolving to your hardcoded private ip, put the cert on your imap server, connect by name, done.
lxgr
2 days ago
This won't work on many home routers that filter out private/local IP A/AAAA records from DNS responses to protect against DNS rebinding.
wolrah
a day ago
How many people care about setting up secure connectivity to an internal server but are unable to either disable this behavior or configure their own internal DNS service?
My internal DNS names are served from my router and I'd imagine a lot of the people who would care about this in a home environment are running either open-source or business-class commercial devices that can do the same.