Jered Floyd writes:
As I discovered (to my chagrin) Mailman's current simple RFC 2369 List-Unsubscribe field doesn't, even for personalized lists where there might be a personalized link in the footer.
My understanding from up-thread is that the RFC 2369 headers are added pre-personalization.
They are. It would also be trivial to personalize them; they just aren't.
If we add a timestamp to the encrypted token I suggest there should be a pretty broad window allowed (i.e. several months).
I guess it would be a matter of keeping 2 tokens in the database.
Safety would suggest adding a random nonce and that would need to be saved in the database.)
Do you just mean a salt? Or are you suggesting adding a per-subscription nonce stored in the DB? (In which case, that could simply be the URI token...)
Per-subscription and it would be the URI token.
I agree with your analysis, but this would be a very specialized attack, especially if we don't provide direct feedback on if the request was successful (which we are not required to do).
I think we do need to provide feedback, at least when the request fails due to an expired token.
I have trouble constructing a practical threat here
I don't know if there's a practical threat. I don't think the known plaintext attack on the key is practical if we use a key dedicated to this purpose. You'd need at least a large university's collection of tokens, and what could you do with it that would be worth the effort? The DOS attack is practical if encryption is expensive enough. But storing the token would make that a single database lookup.
and I think the encrypted tuple, or a plaintext tuple and truncated HMAC (like how SRS works) would be sufficient.
Checking the encrypted tuple is cheaper and simpler.
The real risk without a per-subscription random unique identifier would be a replay attack -- the user is unsubscribed multiple times? That feels outside of the threat model.
The identifier has to be unique to the subscription. If there are multiple valid unsubscriptions, the later ones won't have an existing subscription to unsubscribe. That does argue for the nonce -- that would stop the attack in the case where the user resubscribes.
And you could combine the two strategies which would allow sites that don't use Postorius to configure the reverse proxy, while sites that do would get it for "free" since we'd configure Postorius to do it.
I hadn't considered this -- I definitely like this approach because it means the same function need not be implemented twice, differently.
OK, that's part of the design we'll start with.
guess the big question is now just what the simplest content of the URI should be.
I think there should be just an opaque token plus an optional expiration date for sites paranoid enough to have a rotation policy for the keys. We need to do some thinking about how to implement "several months validity" in case of a sudden key change. The expiration date is irrelevant to the implementation of 8058, it's just for the benefit of the user (and data collection for how old the token is, I guess).
This is shaping up pretty well, I think.
The Internet is an increasingly hostile place.
True enough.
Regardless, not something we can do much about.
There's hope. When Yahoo! and AOL broke the Internet in 2014 by setting p=reject DMARC policies, the Ministry of Education issued "administrative guidance" that *yahoo.* addresses should not be used for school business, and my university sent them all to spam. ;-) Including yahoo.jp which did not have a p=reject policy.
-- GNU Mailman consultant (installation, migration, customization) Sirius Open Source https://www.siriusopensource.com/ Software systems consulting in Europe, North America, and Japan