Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Email Security Trail Map - A World beyond DMARC -

Email Security Trail Map - A World beyond DMARC -

There are too many technology about email security. So it is very difficult to understand what is really necessary, what is the goal.
In this slide, I explain about the summary of each technology to understand what you really need.

D9f3b326469e5fbcc2c7139fb9cf6bd1?s=128

HIRANO Yoshitaka

December 11, 2019
Tweet

Transcript

  1. Copyright© QUALITIA CO., LTD. All Rights Reserved. Email Security Trail

    Map ~A World beyond DMARC~ QUALITIA CO., LTD HIRANO Yoshitaka <hirano@qualitia.co.jp>
  2. Copyright© QUALITIA CO., LTD. All Rights Reserved. Our Company Name

    Qualitia CO., LTD HQ 3-11-10 Nihombashi-Kayabacho Chuo-ku Tokyo Capital 85M yen Since Oct. 1993 CEO Ken Matsuda ⚫ Development and Sales of Messaging Related Solutions ⚫ Supporting Efficient Communication and Security Enhancement ⚫ Providing the Messaging Related Cloud Services and Software Create the Future of “Communication” and “Security” with our Customers and Partners Q U A L I T Y M A K E S F U T U R E
  3. Copyright© QUALITIA CO., LTD. All Rights Reserved. Self Introduction Name

    HIRANO Yoshitaka Belongs to QUALITIA Co., Ltd Chief Engineer Cert. Licensed Scrum Master Certified Scrum Developer Activities M3AAWG JPAAWG IA Japan 迷惑Mail対策委員会 Anti-Spam mail Promotion Council (ASPC) Message Research Institute Audax Randonneurs Nihonbashi
  4. Copyright© QUALITIA CO., LTD. All Rights Reserved. Our Team We

    are researching and developing New Feature Be our Friend! Twitter Account →
  5. Copyright© QUALITIA CO., LTD. All Rights Reserved. Email Security? Where

    is the goal?
  6. Copyright© QUALITIA CO., LTD. All Rights Reserved. Technologies for Email

    Security SPF DKIM 誤送信 防止 Sanitize Password ZIP Anti Phishing Anti SPAM DNS SEC SMTP AUTH DANE MTA- STS START TLS BIMI ARC DMARC TLS- RPT Anti Virus Virus Filter Sandb ox Anshin Mark So many things!! I cannot understand
  7. Copyright© QUALITIA CO., LTD. All Rights Reserved. What do you

    want to protect from What?
  8. Copyright© QUALITIA CO., LTD. All Rights Reserved. What we protect

    from クオリティア Mail Server Mail Server spoofing hijacking eavesdropping tampering stealing leakage Malware Mail Server phishing
  9. Copyright© QUALITIA CO., LTD. All Rights Reserved. What you want

    to protect from •Spoofing, Tampering •Account Hijacking, Springboard •Eavesdropping •Spam, Malware, Phishing •Leakage
  10. Copyright© QUALITIA CO., LTD. All Rights Reserved. Spoofing, Tampering Protect

    from
  11. Copyright© QUALITIA CO., LTD. All Rights Reserved. Protect from Spoofing,

    Tampering クオリティア Mail Server Mail Server Mail Server Spoofing Tampering
  12. Copyright© QUALITIA CO., LTD. All Rights Reserved. Protect from Spoofing・Tampering

    •SPF •DKIM •DMARC •ARC •BIMI
  13. Copyright© QUALITIA CO., LTD. All Rights Reserved. When there is

    no SPF 192.0.2.1 203.0.113.1 Env From: taro@qualitia.co.jp From: taro@qualitia.co.jp Subject: Please transfer money Hi! I'm Taro @ QUALITIA. ・・・・ OK I transfer! Click! × クオリティア Spoofing・Tampering
  14. Copyright© QUALITIA CO., LTD. All Rights Reserved. When there is

    SPF 192.0.2.1 Env From: taro@qualitia.co.jp From: taro@qualitia.co.jp Subject: Please transfer money AR: spf=pass Hi! I'm Taro @ QUALITIA. ・・・・ qualitia.co.jp txt “v=spf1 ip4:192.0.2.1 –all” Check Source IP using Envelope From ◦ OK, This is right. Transfer! クオリティア Spoofing・Tampering
  15. Copyright© QUALITIA CO., LTD. All Rights Reserved. When there is

    SPF 192.0.2.1 203.0.113.1 Env From: taro@qualitia.co.jp From: taro@qualitia.co.jp Subject: Please transfer money AR: spf=fail Hi! I'm Taro @ QUALITIA. ・・・・ qualitia.co.jp txt “v=spf1 ip4:192.0.2.1 –all” Hmm, it looks fake × クオリティア Spoofing・Tampering
  16. Copyright© QUALITIA CO., LTD. All Rights Reserved. But! Spoofing・Tampering

  17. Copyright© QUALITIA CO., LTD. All Rights Reserved. Even if there

    is SPF 192.0.2.1 203.0.113.1 Env From: jiro@badgroup.example From: taro@qualitia.co.jp Subject: Please transfer money AR: spf=none Hi! I'm Taro @ QUALITIA. ・・・・ qualitia.co.jp txt “v=spf1 ip4:192.0.2.1 –all” クオリティア Spoofing・Tampering OK I transfer! Click! Use badgroup domain
  18. Copyright© QUALITIA CO., LTD. All Rights Reserved. OK I transfer!

    Click! badgroupのSPFで認証 192.0.2.1 203.0.113.1 Env From: jiro@badgroup.example From: taro@qualitia.co.jp Subject: Please transfer money AR: spf=pass Hi! I'm Taro @ QUALITIA. ・・・・ badgroup.example txt “v=spf1 ip4:203.0.113.1 –all” qualitia.co.jp txt “v=spf1 ip4:192.0.2.1 –all” クオリティア Spoofing・Tampering
  19. Copyright© QUALITIA CO., LTD. All Rights Reserved. SPF •Verify if

    the pair of Envelope From and IP Address is correct or not •RFC4408 (2006/04) Source IP = Envelope From = Header From ? Spoofing・Tampering
  20. Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM Spoofing・Tampering

  21. Copyright© QUALITIA CO., LTD. All Rights Reserved. When there is

    no DKIM From: taro@qualitia.co.jp Subject: Please transfer money AR: dkim=none Hi! I'm Taro @ QUALITIA. ・・・・ クオリティア Spoofing・Tampering OK I transfer! Click!
  22. Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=qualitia.co.jp;

    s=s1; h=From:Subject; b=abcdef・・・・ From: taro@qualitia.co.jp Subject: Please transfer money Hi! I'm Taro @ QUALITIA. ・・・・ When there is DKIM Send with signature s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...” Encryption Public Key Private Key hash クオリティア Spoofing・Tampering
  23. Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=qualitia.co.jp;

    s=s1; h=From:Subject; b=abcdef・・・・ From: taro@qualitia.co.jp Subject: Please transfer money AR: dkim=pass Hi! I'm Taro @ QUALITIA. ・・・・ When there is DKIM OK, it’s trustable. Transfer, click! s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...” Decryption Public Key Private Key hash ◦ クオリティア Spoofing・Tampering
  24. Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=qualitia.co.jp;

    h=From:Subject; b=abcdef・・・・ From: taro@qualitia.co.jp Subject: Please transfer money Hi! I'm Taro @ QUALITIA. ・・・・ When there is DKIM Cannot sign without a private key! encryption Private Key hash × クオリティア Spoofing・Tampering
  25. Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=qualitia.co.jp;

    s=s1; h=From:Subject; b=abcdef・・・・ From: taro@qualitia.co.jp Subject: Please transfer money to thief Hi! I'm Taro @ QUALITIA. ・・・・ When there is DKIM Tamper the signed message s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...” Public Key Private Key クオリティア Spoofing・Tampering
  26. Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=qualitia.co.jp;

    s=s1; h=From:Subject; b=abcdef・・・・ From: taro@qualitia.co.jp Subject: 泥棒にPlease transfer money AR: dkim=fail Hi! I'm Taro @ QUALITIA. ・・・・ When there is DKIM Hmm, this might be tampered? s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...” decryption Public Key Private Key hash × クオリティア Spoofing・Tampering
  27. Copyright© QUALITIA CO., LTD. All Rights Reserved. But! Spoofing・Tampering

  28. Copyright© QUALITIA CO., LTD. All Rights Reserved. Even if there

    is DKIM From: taro@qualitia.co.jp Subject: Please transfer money AR: dkim=none Hi! I'm Taro @ QUALITIA. ・・・・ Ok, Transfer! Click! s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...” Private Key Same as when there is not DKIM クオリティア Spoofing・Tampering Send without signature
  29. Copyright© QUALITIA CO., LTD. All Rights Reserved. By Any Chance?

    From: taro@qualitia.co.jp Subject: Please transfer money AR: dkim=none Hi! I'm Taro @ QUALITIA. ・・・・ Ehh? QUALITIA usually sign DKIM signature, right? s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...” Private Key クオリティア Spoofing・Tampering Same as when there is not DKIM
  30. Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=badgroup.example;

    s=aku; h=From:Subject; b=abcdef・・・・ From: taro@qualitia.co.jp Subject: Please transfer money Hi! I'm Taro @ QUALITIA. ・・・・ Even if there is DKIM Sign as badgroup! aku._domainkey.badgroup.example txt “v=dkim1;p=ABCDEF...” encryption Private Key of badgroup Private Key hash クオリティア Spoofing・Tampering
  31. Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=badgroup.example;

    s=aku; h=From:Subject; b=abcdef・・・・ From: taro@qualitia.co.jp Subject: Please transfer money AR: dkim=pass Hi! I'm Taro @ QUALITIA. ・・・・ Even if there is DKIM Ok, transfer! decryption badgroupの Public Key Private Key hash ◦ aku._domainkey.badgroup.example txt “v=dkim1;p=ABCDEF...” badgroupの Private Key クオリティア Spoofing・Tampering
  32. Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM •Sign headers

    and body to protect from tampering Spoofing・Tampering
  33. Copyright© QUALITIA CO., LTD. All Rights Reserved. Problem of SPF,

    DKIM •SPF: Even if the third party spoofed the Envelope From, still spf will be a “pass” •DKIM: Even if the third party signed,still dkim will be a “pass” Spoofing・Tampering
  34. Copyright© QUALITIA CO., LTD. All Rights Reserved. DMARC Spoofing・Tampering

  35. Copyright© QUALITIA CO., LTD. All Rights Reserved. DMARC •Verify based

    on Header From •Header From •Envelope From Verify all domains match •DKIM signer Spoofing・Tampering
  36. Copyright© QUALITIA CO., LTD. All Rights Reserved. SPF for badgroup

    (dmarc p=none) 192.0.2.1 203.0.113.1 Env From: jiro@badgroup.example From: taro@qualitia.co.jp Subject: Please transfer money AR: spf=pass, dmarc=Fail Hi! I'm Taro @ QUALITIA. ・・・・ badgroup.example txt “v=spf1 ip4:203.0.113.1 –all” _dmarc.qualitia.co.jp txt “v=DMARC1; p=none” Oh, dmarc is fail. × クオリティア Spoofing・Tampering
  37. Copyright© QUALITIA CO., LTD. All Rights Reserved. SPF for badgroup

    (dmarc p=reject) 192.0.2.1 203.0.113.1 Env From: jiro@badgroup.example From: taro@qualitia.co.jp Subject: Please transfer money AR: spf=pass, dmarc=Fail Hi! I'm Taro @ QUALITIA. ・・・・ badgroup.example txt “v=spf1 ip4:203.0.113.1 –all” × Reject! _dmarc.qualitia.co.jp txt “v=DMARC1; p=reject” × クオリティア Spoofing・Tampering
  38. Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=badgroup.example;

    s=aku; h=From:Subject; b=abcdef・・・・ From: taro@qualitia.co.jp Subject: Please transfer money AR: dkim=pass, dmarc=fail Hi! I'm Taro @ QUALITIA. ・・・・ DKIM signature for badgroup Public Key of badgroup aku._domainkey.badgroup.example txt “v=dkim1;p=ABCDEF...” Private Key of badgroup × _dmarc.qualitia.co.jp txt “v=DMARC1; p=reject” ×Reject! クオリティア Spoofing・Tampering
  39. Copyright© QUALITIA CO., LTD. All Rights Reserved. But! Spoofing・Tampering

  40. Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=qualitia.co.jp;

    s=s1; h=From:Subject; b=abcdef・・・・ From: taro@qualitia.co.jp Subject: [◦◦ML:1234] Hi! All AR: dkim=fail Hi! Long time no see! ・・・・ DKIM + Mailing List Hmm, can I trust? s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...” decryption Public Key Private Key hash × クオリティア Spoofing・Tampering
  41. Copyright© QUALITIA CO., LTD. All Rights Reserved. ARC Spoofing・Tampering

  42. Copyright© QUALITIA CO., LTD. All Rights Reserved. ARCがあれば Ok, arc=pass

    Private Key クオリティア Mailing List Server ml.example.jp ARC-Seal: i=1; cv=none; d=ml.example.jp;... ARC-Message-Signature: i=1; d=ml.example.jp; h=from:subject:dkim-signature:... ARC-Authentication-Result: i=1; ml.example.jp; dkim=pass; spf=pass; dmarc=pass DKIM-Signature: v=1; d=qualitia.co.jp; b=abcdef・・・・ From: taro@qualitia.co.jp Subject: [◦◦ML:1234] Hi! All AR: dkim=fail, arc=pass Hi! Long time no see! ・・・・ Spoofing・Tampering
  43. Copyright© QUALITIA CO., LTD. All Rights Reserved. ARC •The Authenticated

    Received Chain Protocol •RFC8617 (2019年7月) •Mailing List Server will write ARC signature with sequence number, if DKIM=pass, ARC=pass when it received. Spoofing・Tampering
  44. Copyright© QUALITIA CO., LTD. All Rights Reserved. Operation Spoofing・Tampering

  45. Copyright© QUALITIA CO., LTD. All Rights Reserved. Recent DKIM Circumstances

    •RFC8301: Cryptographic Algorithm and Key Usage Update to DomainKeys Identified Mail (DKIM) (Jan. 2018) ・Both signer and verifier MUST use rsa-sha256 ・Both MUST NOT use rsa-sha1 ・Sign: 1024bit~(MUST)、2048bit~(SHOULD) ・Verify: 1024bit~4096bit(MUST) ※ But 2048bit is longer than the size 255bytes which DNS can handle Spoofing・Tampering
  46. Copyright© QUALITIA CO., LTD. All Rights Reserved. Recent DKIM Circumstances

    •RFC8463: A New Cryptographic Signature Method for DomainKeys Identified Mail (DKIM) (Sep. 2018) ・Signer SHOULD implement this ・Verifier MUST implement this ・Write two signatures, Ed25519-SHA256 and RSA-SHA256(1024bit~) for backward compatibility Use Ed25519-SHA256 BASE64 encoded size is just 44 bytes, so this can be fit into DNS Spoofing・Tampering
  47. Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM Key Rotation

    •DKIM Key has to be rotated Spoofing・Tampering https://www.m3aawg.org/sites/default/files/m3aawg-dkim-key-rotation-bp-2019-03.pdf
  48. Copyright© QUALITIA CO., LTD. All Rights Reserved. Operation for DKIM

    •Follow the latest cryptography •Key rotation Too much hassle!!! We are creating a service to DKIM-sign automatically! Coming Soon! 注目 Spoofing・Tampering
  49. Copyright© QUALITIA CO., LTD. All Rights Reserved. BIMI Spoofing・Tampering

  50. Copyright© QUALITIA CO., LTD. All Rights Reserved. BIMI •Show the

    logo specified by the sender, if the DMARC is “pass”. Show the logo 注目 Spoofing・Tampering
  51. Copyright© QUALITIA CO., LTD. All Rights Reserved. Protect from Spoofing,

    Tampering (Summary) •SPF •DKIM •DMARC •ARC •BIMI Spoofing・Tampering
  52. Copyright© QUALITIA CO., LTD. All Rights Reserved. What you want

    to protect from •Spoofing・Tampering •Hijacking・Springboard •Eavesdropping •Spam・Malware・Phishing •Leakage Hijacking・Springboard
  53. Copyright© QUALITIA CO., LTD. All Rights Reserved. Hijacking・Springboard Hijacking・Springboard Protect

    from
  54. Copyright© QUALITIA CO., LTD. All Rights Reserved. Protect from Hijacking・

    Springboard クオリティア Mail Server Mail Server Hijacking Hijacking・Springboard
  55. Copyright© QUALITIA CO., LTD. All Rights Reserved. POP before SMTP

    Hijacking・Springboard
  56. Copyright© QUALITIA CO., LTD. All Rights Reserved. POP before SMTP

    If you pass the POP3 authentication, you can send email. Mail Server Hijacking・Springboard
  57. Copyright© QUALITIA CO., LTD. All Rights Reserved. SMTP AUTH Hijacking・Springboard

  58. Copyright© QUALITIA CO., LTD. All Rights Reserved. SMTP AUTH If

    you passed the ID/Password authentication on SMTP, you can send email. Mail Server RFC2554 (1999) → RFC4954 (2007) Hijacking・Springboard
  59. Copyright© QUALITIA CO., LTD. All Rights Reserved. OP25B Hijacking・Springboard

  60. Copyright© QUALITIA CO., LTD. All Rights Reserved. OP25B •If you

    passed the ID/Password authentication on SMTP(Port 587 ), you can send email. •ISP blocks Port 25 from customer. Mail Server Hijacking・Springboard
  61. Copyright© QUALITIA CO., LTD. All Rights Reserved. Multi Factor Authentication

    Hijacking・Springboard
  62. Copyright© QUALITIA CO., LTD. All Rights Reserved. Multi Factor Authentication

    If the multiple combinations of authentication, such as SMTP AUTH, device auth, biometric auth, are passed, you can send an email. Mail Server Device auth + Face auth OK Hijacking・Springboard
  63. Copyright© QUALITIA CO., LTD. All Rights Reserved. デモ We made

    it! 注目 Hijacking・Springboard
  64. Copyright© QUALITIA CO., LTD. All Rights Reserved. Demo Mail Server

    Device Auth + Face Auth OK Hijacking・Springboard
  65. Copyright© QUALITIA CO., LTD. All Rights Reserved. Device + Face

    authentication Sender MUA Packet Hijacking・Springboard
  66. Copyright© QUALITIA CO., LTD. All Rights Reserved. 多要素認証 SMTP Biometric

    Auth Service Looking for β users! 注目 Spoofing・Tampering
  67. Copyright© QUALITIA CO., LTD. All Rights Reserved. Protect from Hijacking・Springboard

    (Summary) •POP before SMTP •SMTP AUTH •OP25B •Multi Factor Authentication Hijacking・Springboard
  68. Copyright© QUALITIA CO., LTD. All Rights Reserved. What you want

    to protect from •Spoofing・Tampering •Hijacking・Springboard •Eavesdropping •Spam・Malware・Phishing •Leakage Eavesdroppin
  69. Copyright© QUALITIA CO., LTD. All Rights Reserved. Eavesdropping Protect From

    Eavesdroppin
  70. Copyright© QUALITIA CO., LTD. All Rights Reserved. Protect from Eavesdropping

    クオリティア Mail Server Mail Server Eavesdropping Tampering Stealing Eavesdroppin
  71. Copyright© QUALITIA CO., LTD. All Rights Reserved. Encrypted ZIP Eavesdroppin

  72. Copyright© QUALITIA CO., LTD. All Rights Reserved. Encrypted ZIP クオリティア

    Mail Server Mail Server Eavesdropping Tampering Stealing Password Eavesdroppin
  73. Copyright© QUALITIA CO., LTD. All Rights Reserved. STARTTLS Eavesdroppin

  74. Copyright© QUALITIA CO., LTD. All Rights Reserved. STARTTLS クオリティア Mail

    Server Mail Server Eavesdropping Tampering Encrypt the line between mail servers Eavesdroppin
  75. Copyright© QUALITIA CO., LTD. All Rights Reserved. But! Eavesdroppin

  76. Copyright© QUALITIA CO., LTD. All Rights Reserved. Unsupported STARTTLS クオリティア

    Mail Server Mail Server2 Eavesdropping Tampering If the server or client does not support STARTTLS, the client will send emails by plain text opportunistically. Mail Server1 Eavesdroppin
  77. Copyright© QUALITIA CO., LTD. All Rights Reserved. When the network

    routing is hijacked クオリティア Mail Server Mail Server Encryption is meaningless. Mail Server ARP BGP ・・・ Eavesdroppin
  78. Copyright© QUALITIA CO., LTD. All Rights Reserved. MTA-STS Eavesdroppin

  79. Copyright© QUALITIA CO., LTD. All Rights Reserved. MTA-STS •Force to

    use STARTTLS •Force to use TLS1.2 or more •Enforce that server has a valid certification •RFC8461 (Sep. 2018) Eavesdroppin
  80. Copyright© QUALITIA CO., LTD. All Rights Reserved. When there is

    MTA-STS クオリティア Mail Server Mail Server Client does not send, if encryption is not supported _mta-sts.qualitia.co.jp. IN TXT "v=STSv1; id=20191114123000Z;" version: STSv1 mode: enforce mx: mx1.qualitia.co.jp max_age: 1296000 https://mta-sts.qualitia.co.jp/.well-known/mta-sts.txt =Not Stealed Eavesdroppin Policy
  81. Copyright© QUALITIA CO., LTD. All Rights Reserved. But! If the

    client did not send it we want to know it Eavesdroppin
  82. Copyright© QUALITIA CO., LTD. All Rights Reserved. TLS-RPT Eavesdroppin

  83. Copyright© QUALITIA CO., LTD. All Rights Reserved. When there is

    TLS-RPT クオリティア Mail Server Mail Server Send a report, if the encryption is not supported RFC8460 (Sep. 2018) _mta-sts.qualitia.co.jp. IN TXT "v=STSv1; id=20191114123000Z;" version: STSv1 mode: enforce mx: mx1.qualitia.co.jp max_age: 1296000 https://mta-sts.qualitia.co.jp/.well-known/mta-sts.txt _smtp._tls.qualitia.co.jp. IN TXT "v=TLSRPTv1;rua=mailto:reports@qualitia.co.jp" Eavesdroppin
  84. Copyright© QUALITIA CO., LTD. All Rights Reserved. Be careful! クオリティア

    Mail Server Mail Server _mta-sts.qualitia.co.jp. IN TXT "v=STSv1; id=20191114123000Z;" version: STSv1 mode: enforce mx: mx1.qualitia.co.jp max_age: 1296000 https://mta-sts.qualitia.co.jp/.well-known/mta-sts.txt _smtp._tls.qualitia.co.jp. IN TXT "v=TLSRPTv1;rua=mailto:reports@qualitia.co.jp" Server does not support TLS, so that client cannot send a report encryption Eavesdroppin
  85. Copyright© QUALITIA CO., LTD. All Rights Reserved. Report Using HTTPS

    クオリティア Mail Server Mail Server _mta-sts.qualitia.co.jp. IN TXT "v=STSv1; id=20191114123000Z;" version: STSv1 mode: enforce mx: mx1.qualitia.co.jp max_age: 1296000 https://mta-sts.qualitia.co.jp/.well-known/mta-sts.txt _smtp._tls.qualitia.co.jp. IN TXT "v=TLSRPTv1;rua=https://api.qualitia.co.jp/v1/tlsrpt" HTTPS is also available https://api.qualitia.co.jp.jp/v1/tlsrpt POST Eavesdroppin
  86. Copyright© QUALITIA CO., LTD. All Rights Reserved. But! Eavesdroppin

  87. Copyright© QUALITIA CO., LTD. All Rights Reserved. DNS Hijacking クオリティア

    Mail Server Mail Server Disable MTA-STS Mail Server DNS Eavesdroppin
  88. Copyright© QUALITIA CO., LTD. All Rights Reserved. Compromised CA クオリティア

    Mail Server Mail Server Mail Server ARP BGP ・・・ Certificate Authority (CA) 署名 qualitia.co.jp qualitia.co.jp Sign Compromised CA Everything seems fine for sender Trust Eavesdroppin
  89. Copyright© QUALITIA CO., LTD. All Rights Reserved. DANE Eavesdroppin

  90. Copyright© QUALITIA CO., LTD. All Rights Reserved. DANE •Do not

    use Certificate authority(CA) •You can use if you want •Self-signed certificate is available •Use DNSSEC •RFC7672 (Oct. 2015) Eavesdroppin
  91. Copyright© QUALITIA CO., LTD. All Rights Reserved. DANE クオリティア Mail

    Server Mail Server Use DNS Trust chain instead of CA DNSSEC Certificate Authority(CA) No Need ルートDNS DNSSEC Trust Eavesdroppin _25._tcp.mx1.qualitia.co.jp. IN TLSA 3 0 1 2B73BB905F…" mx1.qualitia.co.jp
  92. Copyright© QUALITIA CO., LTD. All Rights Reserved. But! Settings and

    Operations are not easy Eavesdroppin
  93. Copyright© QUALITIA CO., LTD. All Rights Reserved. Operation of MTA-STS,

    TLS-RPT, DANE •Operating DNSSEC is not easy •We cannot use DNSSEC easily (in Japan) •Do not want to Key-Rotate •Do not want to analyze the report Authoritative DNSSEC Service for Mail User We are now developing! 注目 Eavesdroppin
  94. Copyright© QUALITIA CO., LTD. All Rights Reserved. Protect from Eavesdropping

    (Summary) •Encrypted ZIP •STARTTLS •MTA-STS •TLS-RPT •DANE-TLS •DNSSEC •DANE-S/MIME Eavesdroppin
  95. Copyright© QUALITIA CO., LTD. All Rights Reserved. What you want

    to protect from •Spoofing・Tampering •Hijacking・Springboard •Eavesdropping •Spam・Malware・Phishing •Leakage Spam・Malware・Phishing
  96. Copyright© QUALITIA CO., LTD. All Rights Reserved. Spam, Malware, Phishing

    Protect from Spam・Malware・Phishing
  97. Copyright© QUALITIA CO., LTD. All Rights Reserved. Protect from Spam,

    Malware Mail Server Mail Server Spoofing Spam Malware Phishing Spam・Malware・Phishing
  98. Copyright© QUALITIA CO., LTD. All Rights Reserved. Security for received

    emails •Spam Filtering •Virus Filtering Spam・Malware・Phishing
  99. Copyright© QUALITIA CO., LTD. All Rights Reserved. But! Virus file

    is also encrypted! Spam・Malware・Phishing Virus scanners cannot detect the virus!
  100. Copyright© QUALITIA CO., LTD. All Rights Reserved. Decode by Password

    to Detect Virus Decode by Password Virus Check Check in Sandbox You can download if the file is safe 注目 Spam・Malware・Phishing
  101. Copyright© QUALITIA CO., LTD. All Rights Reserved. What you want

    to protect from •Spoofing・Tampering •Hijacking・Springboard •Eavesdropping •Spam・Malware・Phishing •Leakage Leakage
  102. Copyright© QUALITIA CO., LTD. All Rights Reserved. Leakage Protect from

    Leakage
  103. Copyright© QUALITIA CO., LTD. All Rights Reserved. Mail Missending Prevention

    •Holding Email for a while •To, Cc → Bcc Transformation •Password protected ZIP Leakage
  104. Copyright© QUALITIA CO., LTD. All Rights Reserved. Web Downloading クオリティア

    Mail Server Mail Server Separate Attachment File 注目 Leakage
  105. Copyright© QUALITIA CO., LTD. All Rights Reserved. EMAILを守るための技術 •Spoofing・Tampering •Hijacking・Springboard

    •Eavesdropping •Spam・Malware・Phishing •Leakage SPF DKIM DMARC ARC BIMI POP before SMTP SMTP AUTH MFA STARTTLS MTA-STS TLS-RPT DANE DNSSEC AntiSPAM AntiVirus SandBox Active! zone Holding Passworded ZIP Web Downloading Active! gate
  106. Copyright© QUALITIA CO., LTD. All Rights Reserved. Introduced Products, Services

    •Web Mail for BIMI •DKIM signing Service •SMTP Bio Auth Product, Service •Authoritative DNSSEC + Mail Setting Service •TLS Report Analysis Service •Virus Checking for Passworded Files Product •Attachment Separation for Mail Missending Prevention βユーザ募集!
  107. Copyright© QUALITIA CO., LTD. All Rights Reserved. Thank you Thank

    you