@blamejs/exceptd-skills 0.16.11 → 0.16.13

package/sbom.cdx.json

@@ -1,23 +1,23 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:29d1b932-e4db-4aac-b562-a8b3727c1da6",
+  "serialNumber": "urn:uuid:99237bc9-4dbd-43d8-ac39-1814c14a92f2",
   "version": 1,
   "metadata": {
-    "timestamp": "2048-03-26T11:44:50.000Z",
+    "timestamp": "2107-06-02T13:38:17.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.16.11"
+        "version": "0.16.13"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.16.11",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.16.13",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.16.11",
-      "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 43 skills, 11 catalogs (439 CVEs / 174 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
+      "version": "0.16.13",
+      "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 45 skills, 11 catalogs (439 CVEs / 174 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
       "licenses": [
         {
           "license": {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.16.11",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.16.13",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "70d9f0f41bcba23f227253df9e54fd9f7712bc3b14f7ab15414a19fe96727339"
+          "content": "9b5f97cc70b127ed83de1386a5636c0cee439b858d106753854d2721bba97db7"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.16.11"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.16.13"
         },
         {
           "type": "vcs",
@@ -54,7 +54,7 @@
       },
       {
         "name": "exceptd:skill:count",
-        "value": "43"
+        "value": "45"
       },
       {
         "name": "exceptd:integrity:method",
@@ -86,11 +86,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "fb74fd144663792dc340deb3a714fc36fca41d5c8c5ac144308763c84aa89458"
+          "content": "73ea9257ed2799e6c6a69b89a7d7a44a0d6f5e7a647a538af4666ff68091684f"
         },
         {
           "alg": "SHA3-512",
-          "content": "ee990d784984d065bf2a29a074a9d23ef2f8687c03214e6150a492076ec8f09d79ee09a11127bb7fd59da8653dc4860678d5767dafcd48031fb2b0cb1adbe768"
+          "content": "43b7a008a7f91aa03c138c0ceb5caaf24d398c681f87cdcbd85fa8555c71ff905ef89555cd991171a156c6e706a2f39971d63a466874fb234bf03cf44a836140"
         }
       ]
     },
@@ -116,11 +116,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "96f0a921259e60d698b848dad1f62f9556d30aa993b1bb4354393de8ca384258"
+          "content": "0cf3816a29019ecd7684c069258212741fdb5d0e512dd9be6a73a4360f993ab8"
         },
         {
           "alg": "SHA3-512",
-          "content": "83a9e972e8f6d67063be8b7df88f5668acca4115195897469a9f1a358eb17756132ded3b4c775fb2608c9ab5a82c30bbb207e55e1d4f1779dee1225d788f3fb2"
+          "content": "8660524b92d196733cfe77fde02c86497b148cde76ec8d905e927e27e303525aab05ceed51ce52f6ece9465bc2ce39129d41de9b89c7d7a930d11a76e7598faf"
         }
       ]
     },
@@ -176,11 +176,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "ffa417f75487e002c2b7ea829c24b2ae3d4b9861feb9b796960498cd11039501"
+          "content": "854327a98921cc47b5c6f6ede0d8b2c5c234007bfd8f9cec0030d50b36b7ae6e"
         },
         {
           "alg": "SHA3-512",
-          "content": "3ddf859b5a55ac7fbff422672c8edaf33fc8b96a75d8d4fa89dafa074f9f43c30a60104d0255c9564da33d7f98bc5c6f7cc6c9ea3fdc67fa1d702b6b302aaa72"
+          "content": "b3243ff29c9c0f087004f124cd757a5c52af87e0e60881995112f811257617912fa91cda47faed79b50ad14787fc930b8f925a048b5b98c8cc2c7c86b5ee6cb4"
         }
       ]
     },
@@ -281,11 +281,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "81fbed0c2e511d190486fab7b73f80ae3f49f2fa7b1d9737e36108dbaaf15a15"
+          "content": "8461d00161d7285947e6faf3433966b4d09dd5a9e26106b46ee4d07875bdf66c"
         },
         {
           "alg": "SHA3-512",
-          "content": "1fce92382805e2d8f8ff1698bcfc150c2a46f862befe705694b7fc67dc68ecc9a703288b95c636e7031f992fb1e4923ebf418285771f84efb783efe0b0948758"
+          "content": "886f8484598fb0927b3b897eb804b919a6a151ef4843ce572d8fa7f9974a0df6163a1ee5d42c1fbe29f1e413b0f352d8e3e81ac1845623ff2f5a19f746c208b7"
         }
       ]
     },
@@ -341,11 +341,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "6fa292e00da31186d66d58cd11ee960c56d1fa7f1f6113c3b66625732a79f412"
+          "content": "91d29027802d04bfd20f0ffd41c13f529f8bc005af50847832d5960c5a11fbf6"
         },
         {
           "alg": "SHA3-512",
-          "content": "6ab606c53a4b568f7bb21e5f48c49359c8b23285096e9608ff682f28c8b2321c1e2857271e7698dc162dc6685a2e1286187758596e8f49f3b9d84f28f958117b"
+          "content": "f93348d5b0d59e135a047f7cae4edf5ed4bcb94b630c4225046ca7640a08f7b716b7ce4a45671e61870a68d3c3f8c5c8aadc0949eacf013b7a0247f0cb8110d7"
         }
       ]
     },
@@ -551,11 +551,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "f1046b23e75c6fbe2526a9f6a1a48d5d49564c81d609dcdce29a2c946422dc0a"
+          "content": "1f5f749e6fbf82fedef78789dd90ead2bb5bb159a2c7723f67f26d977b4f1108"
         },
         {
           "alg": "SHA3-512",
-          "content": "f16c012caf6ade2aa882cece084e40579986c3215d66e7252518df70e18d8067f09192ba592fdd64c69c8fbff4c255ab1b65fff23401701a7f3f4e18806a2612"
+          "content": "6d425bc941f84d430392daad961ddba8f6d8c7fb1082fd8f117c3d3af6c8b8b0ab1e3b96ff86aaa5f8d1b2bc6dae19a517c90d78bafb092a8d70dc990efabfcc"
         }
       ]
     },
@@ -566,11 +566,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "bdd51b48ddc83601a05d4d5e81a96a37095741914bc9db7905f4835a2b3e5805"
+          "content": "5e6c511625e5f87f267eae4ac95999082cd83a962c8f9d7e028f18973501bce8"
         },
         {
           "alg": "SHA3-512",
-          "content": "0db71ad4349b31179818fbff41608c828845c3f26ab4545772e9ee304e186e732bf89b454d7a3559e891c17e93396602db343577ff09e9fd524b2d21577a9c17"
+          "content": "15be64ac6bb7826f0976eb24bb3fbe12e1766b4f28200bfd375f6459d8d6598fab809a7a59ba1a4707de14f4f7affcdcd4c1467d399d584f4f7c8bbba74be9d7"
         }
       ]
     },
@@ -664,6 +664,21 @@
         }
       ]
     },
+    {
+      "bom-ref": "file:data/playbooks/mail-server-hardening.json",
+      "type": "file",
+      "name": "data/playbooks/mail-server-hardening.json",
+      "hashes": [
+        {
+          "alg": "SHA-256",
+          "content": "7fe2cdf5257f84561a4e88553b3274eb6aab20543affa36d29686b7ba1ef2abb"
+        },
+        {
+          "alg": "SHA3-512",
+          "content": "e77daa000cb93d3a93604cfa14f6c5f5d0dfdff4f54f5985c74717424e476bb5b550c6a781a79f8847d17a1346e42aeb4ba44b53149889a53fa7d907168fb8f7"
+        }
+      ]
+    },
     {
       "bom-ref": "file:data/playbooks/mcp.json",
       "type": "file",
@@ -679,6 +694,21 @@
         }
       ]
     },
+    {
+      "bom-ref": "file:data/playbooks/network-trust.json",
+      "type": "file",
+      "name": "data/playbooks/network-trust.json",
+      "hashes": [
+        {
+          "alg": "SHA-256",
+          "content": "505f79dadc74157569171129ddf8e9fceb7313c80c07fa7ebc444cceb6c52375"
+        },
+        {
+          "alg": "SHA3-512",
+          "content": "25f6c2c90ada920bf7586e496c728b11c3a48dbaa805f37a3d678508e551160ea2e19044e3e7bfc50062aad6523ab68fe5305b78f3f24889f2e0f3de780a8902"
+        }
+      ]
+    },
     {
       "bom-ref": "file:data/playbooks/post-quantum-migration.json",
       "type": "file",
@@ -746,11 +776,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "7e12255843447356cdfe372c20284fe21316abcaa61275267547ab5f8a7b4abb"
+          "content": "1bca35c4d562eb32bf3893b3e978396fad102bdb9e2a2b28189f8940ff3e7a56"
         },
         {
           "alg": "SHA3-512",
-          "content": "ca10e22d96a1c3ca7a219db54015559650679807294169ada3f8584e43846fa57e2ec77b69b53a574bde6ea5eec51e3f92ad5c4730aba0ae020eb8ebf1b85dc6"
+          "content": "239148333b803245899425506b76255cfd0327bda7e0339905c62d599f59ede8cfacc37e4f75cecf5c0a8dc9f3122ce010d4bc1b409928bc1198e7e634ba545d"
         }
       ]
     },
@@ -1736,11 +1766,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "3d9a53fa10f7c9842903252192f1f838bec422b99ed9562be9fd7aef88dacf20"
+          "content": "01d04f338bc17fbb0ed099faf0da62eefc9022888f2474171b587e614eab3255"
         },
         {
           "alg": "SHA3-512",
-          "content": "62cef0d1915cd4f3a63f952c2fa42c7e0279c15828ae83e5cdd8b6490767400fa7cdfbf5ecedca6fe16859ccfd72ff7acffec7209ae806a4bf6748c63d25bfc7"
+          "content": "bc5f3606a4398b42c41b527f5137360a08dc760658c85dee9866bb2c6ac3585a53fed8002194d15ed2c22feb3adf575a807abf22a0c5546ec1a51521a8e7fffb"
         }
       ]
     },
@@ -1751,11 +1781,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "a774939dc7902765bf4be36cd308c34b66a3bb105f4404fa06992b79d5ac3dee"
+          "content": "c3408c1564ddaf9815fdb31956e1821ece71ce2d6d903c8bacf272021b45bdbc"
         },
         {
           "alg": "SHA3-512",
-          "content": "dd9a282b83be1929330b58def5c377eec93fcb0fb23401c484d81a639c0e5c0df0ff6b151aaf73b720345e88c45f68f47da83ef0114f3520f6b5040f3b64f27b"
+          "content": "e70da6249208be2a670131b731e610e9b6497e26e56b00d7fa58d3c0535a0b749842551dfb6e9e62ac0a4fa7eed02979b0009b38ff7447f7c761b766aa4c0aa2"
         }
       ]
     },
@@ -1766,11 +1796,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "cdd4fb5f74a72b662c5db992bb3de8d484c9c87951a40762f2b5198453747dba"
+          "content": "1aa03bd9897ddbaefef7593f21f0683e5cfb97b3d45e4d062880c7f1f9bed36d"
         },
         {
           "alg": "SHA3-512",
-          "content": "678e0257b4a71322194c65cc2258c0c76d0f2ec83152ef1bd3a3e453aab360da8550a4430b67eb5f8b03d8314cd283be47bd779cd22087b7855dd90129916168"
+          "content": "3936d8b66e2a7a0b854d2739ebb7bff2a0f1dac1455008d8afaa4d5cc644e72fa67298fe00abedbb4d8a9bb40a691c389ff3cc2e4b55ecabe1da27ee6ed5b25a"
         }
       ]
     },
@@ -2899,6 +2929,21 @@
         }
       ]
     },
+    {
+      "bom-ref": "file:skills/mail-server-hardening/skill.md",
+      "type": "file",
+      "name": "skills/mail-server-hardening/skill.md",
+      "hashes": [
+        {
+          "alg": "SHA-256",
+          "content": "0554e23457851ac1cdb3b8217fae902789798db1bbc67c5f4cf1df6fd265cf15"
+        },
+        {
+          "alg": "SHA3-512",
+          "content": "d5768c68a3479cd0f8f9b9aad60422805fb03e3de022829f7a4f6794c8d6d0a78daaf36f7f72c840add8021d2299d5133310268f671b04db1df9040d4e1af1e9"
+        }
+      ]
+    },
     {
       "bom-ref": "file:skills/mcp-agent-trust/skill.md",
       "type": "file",
@@ -2929,6 +2974,21 @@
         }
       ]
     },
+    {
+      "bom-ref": "file:skills/network-trust/skill.md",
+      "type": "file",
+      "name": "skills/network-trust/skill.md",
+      "hashes": [
+        {
+          "alg": "SHA-256",
+          "content": "d1c2fd6ce0bd74e508a41a61c8618cc5c979eaea2702ca97003ce46ba8c9dfa8"
+        },
+        {
+          "alg": "SHA3-512",
+          "content": "b1fd259f983b2bad0ce44290f12f6712f786aa8db7ef3fbab9db1c95b3b16fb9a151d7ccfc509e144dc311fa66a11bd0d357a5c57ddb59801ff2221176b7aa0a"
+        }
+      ]
+    },
     {
       "bom-ref": "file:skills/ot-ics-security/skill.md",
       "type": "file",

package/skills/mail-server-hardening/skill.md

@@ -0,0 +1,84 @@
+---
+name: mail-server-hardening
+version: "1.0.0"
+description: Inbound mail-server protocol hardening for mid-2026 — SMTP smuggling, STARTTLS command/response injection, IMAP/POP3/ManageSieve command injection, Sieve redirect exfiltration, open relay, mailbox-DAV traversal/XXE, and cleartext-AUTH (the server-side protocol layer that SPF/DKIM/DMARC do not protect)
+triggers:
+  - mail server hardening
+  - smtp smuggling
+  - starttls injection
+  - open relay
+  - imap command injection
+  - managesieve
+  - sieve redirect
+  - mailbox dav
+  - caldav
+  - carddav
+  - pop3
+  - mx hardening
+  - rfc 5321
+  - rfc 9051
+  - rfc 5804
+  - mail protocol
+  - inbound mail
+  - smtp listener
+discovery_mode: standalone
+data_deps:
+  - cve-catalog.json
+  - atlas-ttps.json
+  - attack-techniques.json
+  - framework-control-gaps.json
+  - cwe-catalog.json
+  - rfc-references.json
+atlas_refs: []
+attack_refs:
+  - T1190
+  - T1071.003
+  - T1557
+framework_gaps:
+  - NIST-800-53-SI-2
+  - ISO-27001-2022-A.8.8
+  - NIS2-Art21-network-security
+  - PCI-DSS-4.0-6.3.3
+cwe_refs:
+  - CWE-77
+  - CWE-93
+  - CWE-22
+  - CWE-611
+  - CWE-863
+  - CWE-400
+last_threat_review: "2026-06-02"
+---
+
+# Inbound Mail-Server Protocol Hardening
+
+## Threat Context (mid-2026)
+
+A mail server that terminates inbound SMTP, IMAP, POP3, JMAP, or ManageSieve exposes a protocol surface that sender-authentication (SPF/DKIM/DMARC) and transport TLS do not protect. SMTP smuggling (CVE-2023-51764/51765/51766) exploits a server that accepts a non-standard end-of-data sequence to deliver a second message that inherits the outer connection's authentication pass — spoofed mail past DMARC. STARTTLS command/response injection (CVE-2021-38371, CVE-2021-33515) executes attacker plaintext buffered before the handshake. An open relay lends the operator's reputation to spammers. Uncapped Sieve `redirect` is a silent mail-exfiltration primitive. Mailbox-DAV (CalDAV/CardDAV) endpoints add path-traversal and XXE. Each is a configuration or parser-hardening gap, not a CVE to patch.
+
+## Framework Lag Declaration
+
+Organisational mail controls center on sender authentication and transport encryption: SPF, DKIM, DMARC, and a TLS certificate. None prescribe the server-side protocol hardening this skill audits. NIST 800-53 SI-2 expects flaw remediation via a patch cadence, but the smuggling and STARTTLS-injection fixes are configuration (strict end-of-data handling, receive-buffer drain) the patch process never surfaces. NIS2 Art.21 names network security of essential services but assumes SPF/DKIM/DMARC and TLS suffice — they are bypassed at the protocol layer. A clean DMARC + TLS audit is therefore NON-EVIDENCE for inbound protocol hardening; the two address different boundaries.
+
+## TTP Mapping
+
+The inbound mail-protocol failures map to MITRE ATT&CK: **T1190 (Exploit Public-Facing Application)** for command-literal injection in the IMAP/POP3/ManageSieve parsers and mailbox-DAV traversal/XXE; **T1071.003 (Application Layer Protocol: Mail Protocols)** for SMTP smuggling delivering spoofed mail and open-relay abuse; and **T1557 (Adversary-in-the-Middle)** for STARTTLS receive-buffer injection that crosses the TLS boundary. Cleartext AUTH before STARTTLS enables **T1040 (Network Sniffing)**; absent auth rate limiting enables **T1110 (Brute Force)**; uncapped Sieve redirect enables **T1114 (Email Collection)**. The weakness classes are CWE-93 (CRLF/smuggling), CWE-77 (command injection), CWE-22 (path traversal), CWE-611 (XXE), CWE-863 (open-relay authorization), and CWE-400 (uncapped Sieve/PUTSCRIPT resource use).
+
+## Exploit Availability Matrix
+
+These are protocol-posture gaps, so weaponisation is low-cost and reusable. SMTP smuggling has public tooling (SEC Consult, December 2023) and the CVE-2023-51764/51765/51766 entries are catalogued. STARTTLS injection has public test tooling from the 2021 "NO STARTTLS" research (CVE-2021-38371, CVE-2021-33515). Open-relay testing requires only an unauthenticated MAIL FROM + RCPT TO probe. Command-literal injection and mailbox-DAV traversal require only a crafted protocol line. None need a novel exploit; the exploit is the absence of the check. Real-world priority is driven by internet-reachability of the listener and whether the gap yields spoofing/relay (reputation + phishing delivery) or mailbox-data exposure.
+
+## Analysis Procedure
+
+1. Inventory every inbound mail listener and its port (implicit-TLS 465/993/995 vs opportunistic-STARTTLS 25/587/143/110/4190). 2. Probe SMTP for non-standard end-of-data acceptance (smuggling) and unauthenticated relay. 3. Probe each opportunistic-STARTTLS listener for an undrained pre-handshake buffer and for AUTH offered before TLS. 4. Inspect the IMAP/POP3 parsers for bare-CR/LF acceptance and the ManageSieve listener for unbounded PUTSCRIPT and cleartext AUTH. 5. Inspect the Sieve engine for an uncapped `redirect` and the mailbox-DAV endpoint for traversal + XXE. 6. Confirm auth rate limiting / greylisting is active. Run the `mail-server-hardening` playbook to execute these as detect indicators with false-positive checks, then score by reachability and impact class.
+
+## Output Format
+
+Report per listener and protocol, marking each hardening check enforced / missing / inconclusive (visibility gap). For every missing check, state the port, whether it is internet-facing, and whether the gap yields spoofing/relay or mailbox-data exposure. Distinguish a live-listener finding from a documented test fixture or an upstream-proxy-enforced control. Provide the prioritised remediation (enforce standard end-of-data, drain the STARTTLS buffer and gate AUTH on TLS, harden the command parsers, restrict relay and cap Sieve redirect, harden mailbox-DAV and add rate limits) and the negative validation tests that prove each fix (smuggling rejected, relay rejected, STARTTLS injection rejected) plus the functional test that legitimate mail still flows.
+
+## Compliance Theater Check
+
+The recurring theater is "we have SPF/DKIM/DMARC and TLS, so our mail server is secure" and "relay is restricted in our config." Sender authentication and transport TLS protect different boundaries than the inbound protocol parser; a config flag is not evidence the listener enforces it. The distinguishing test: probe the live inbound listener for non-standard end-of-data acceptance, an undrained STARTTLS buffer, unauthenticated relay, and cleartext AUTH. If any probe succeeds, the DMARC record and TLS certificate did not protect the protocol layer, and the assurance is paper. "Relay is restricted" is theater until an unauthenticated RCPT-to-external probe is actually refused.
+
+## Defensive Countermeasure Mapping
+
+Map findings to MITRE D3FEND: strict end-of-data enforcement and command-parser hardening realise Message Authentication and Inbound Traffic Filtering (countering T1071.003/T1190); STARTTLS receive-buffer draining and AUTH-after-TLS gating realise Transport Session Integrity (countering T1557/T1040); relay authorization realises Outbound Traffic Filtering (countering open-relay reputation abuse); Sieve redirect caps realise Email Filtering (countering T1114 exfiltration). Pair the protocol hardening with auth rate limiting and greylisting (countering T1110). The residual risk after hardening is a compromised authenticated account acting within its own authorization, which protocol hardening does not address — accept it at the CISO level with identity-control compensation.

package/skills/network-trust/skill.md

@@ -0,0 +1,81 @@
+---
+name: network-trust
+version: "1.0.0"
+description: Network-layer trust and adversary-in-the-middle resistance for mid-2026 — DNSSEC validation, DANE/TLSA pinning, TSIG, mTLS private-CA pinning, RFC 9421 HTTP message signatures, DNS-rebinding/SSRF guarding, and authenticated time (NTS) and its effect on certificate validity and TOTP
+triggers:
+  - network trust
+  - adversary in the middle
+  - aitm
+  - dnssec
+  - dane
+  - tlsa
+  - tsig
+  - mtls pinning
+  - certificate pinning
+  - http message signature
+  - rfc 9421
+  - dns rebinding
+  - nts
+  - authenticated time
+  - ntp spoofing
+  - public suffix list
+  - name resolution trust
+discovery_mode: standalone
+data_deps:
+  - cve-catalog.json
+  - atlas-ttps.json
+  - attack-techniques.json
+  - framework-control-gaps.json
+  - cwe-catalog.json
+  - rfc-references.json
+atlas_refs: []
+attack_refs:
+  - T1557
+  - T1071.004
+  - T1556
+framework_gaps:
+  - NIST-800-53-SC-8
+  - ISO-27001-2022-A.8.21
+  - NIS2-Art21-network-security
+  - UK-CAF-B4
+cwe_refs:
+  - CWE-345
+  - CWE-918
+  - CWE-290
+  - CWE-347
+last_threat_review: "2026-06-02"
+---
+
+# Network-Layer Trust (AiTM Resistance)
+
+## Threat Context (mid-2026)
+
+Below the application, TLS authenticates a certificate against a CA bundle — not the specific peer you intended to reach, and not the DNS answer or the clock that got you there. Adversary-in-the-middle attacks exploit the trust-anchor validation TLS does not perform: forge a DNS answer where DNSSEC is not validated; present a mis-issued-but-CA-valid certificate where DANE/TLSA or an mTLS CA pin is not checked; shift an unauthenticated clock to revive an expired certificate or a TOTP window; or rebind a name from a public to an internal address. The DNSSEC validation surface itself carries availability risk (KeyTrap CVE-2023-50387, NSEC3 CVE-2023-50868). These are validation-posture gaps, not cryptographic-primitive weaknesses.
+
+## Framework Lag Declaration
+
+Organisational network controls equate TLS with peer authenticity and assume DNS and time are trustworthy. NIST 800-53 SC-8 (transmission integrity) is satisfied by TLS to a CA bundle and does not require DANE pinning, DNSSEC, or authenticated time. ISO 27001 A.8.21 (security of network services) is met with TLS + a CA bundle. NIS2 Art.21 names network security of essential services but not the DNS/time/transport trust-anchor posture that AiTM exploits. A clean "we use TLS and a validating resolver and NTP" audit is therefore NON-EVIDENCE for network-trust posture; it confirms encryption and a CA bundle, not end-to-end DNSSEC validation, peer pinning, or authenticated time.
+
+## TTP Mapping
+
+The network-trust failures map to MITRE ATT&CK: **T1557 (Adversary-in-the-Middle)** for mis-issued-certificate acceptance (no DANE/mTLS pin), DNS-rebinding SSRF, and clock-shift cert revival; **T1071.004 (Application Layer Protocol: DNS)** for forged answers accepted without DNSSEC and unauthenticated zone transfer/update without TSIG; and **T1556 (Modify Authentication Process)** for unverified HTTP message signatures and PSL-driven cookie-boundary confusion, plus the TOTP-window impact of time-shift. The weakness classes are CWE-345 (insufficient verification of data authenticity), CWE-918 (SSRF via DNS rebinding), CWE-290 (authentication bypass by spoofing), and CWE-347 (improper signature/certificate verification).
+
+## Exploit Availability Matrix
+
+These are posture gaps, so weaponisation is low-cost given an on-path or DNS-influencing position. DNS forgery and cache poisoning have commodity tooling; the DNSSEC validation surface's own DoS (KeyTrap / NSEC3) is catalogued with public analysis. DNS rebinding has public frameworks. A mis-issued or compromised-CA certificate is a recurring real-world event that DANE/mTLS pinning is designed to contain. Unauthenticated NTP is steerable by any on-path attacker. None require a novel exploit; the exploit is the absent validation. Real-world priority is driven by whether the unvalidated anchor sits on an internet-facing authentication, credential, or payment path, and by how many trust decisions ride on it.
+
+## Analysis Procedure
+
+1. Inventory the paths whose security depends on DNS authenticity, peer-certificate identity, accurate time, or request-signature integrity. 2. Confirm the application path validates DNSSEC end-to-end (or trusts a validated upstream over DoT/DoH) and guards DNS rebinding (pin resolved IP, refuse private ranges). 3. Confirm DANE/TLSA is checked on capable peers and that mTLS pins the expected private CA / SPKI rather than the full public bundle. 4. Confirm time is authenticated (NTS or an authenticated source) and treated as a trust input for cert-validity and TOTP. 5. Confirm TSIG on zone operations and adequately-scoped RFC 9421 message-signature verification. 6. Confirm the Public Suffix List is current. Run the `network-trust` playbook to execute these as detect indicators with false-positive checks, then score by reachability and the number of trust decisions affected.
+
+## Output Format
+
+Report per trust anchor (DNS, peer certificate, time, message signature), marking each enforced / missing / inconclusive (visibility gap). For every missing check, state whether the path is internet-facing and which trust decisions (peer auth, name resolution, cert validity, TOTP) depend on it. Distinguish a genuinely-not-in-scope anchor (no DANE-capable peer, no authoritative zone, fixed pinned IP) from an unvalidated one. Provide the prioritised remediation (validate DNSSEC + guard rebinding, pin peer certificates via DANE/mTLS, authenticate time, require TSIG + verify message signatures, refresh the PSL) and the negative validation tests that prove each fix (forged DNS rejected, mis-issued cert rejected, time-shift cannot revive a cert) plus a functional test that legitimate traffic still flows.
+
+## Compliance Theater Check
+
+The recurring theater is "we use TLS everywhere, so the peer is authenticated," "we use a DNSSEC-validating resolver," and "time sync is handled." TLS authenticates against a CA bundle, not the expected peer; a validating resolver upstream is moot if the application accepts any answer over an unauthenticated hop; unauthenticated NTP is attacker-steerable. The distinguishing test: confirm the application path checks DANE/TLSA (or pins the mTLS CA), trusts the AD flag / validates DNSSEC end-to-end, and uses authenticated time. If a forged DNS answer, a mis-issued certificate, or a time shift would be accepted, TLS did not make the network trustworthy and the assurance is paper.
+
+## Defensive Countermeasure Mapping
+
+Map findings to MITRE D3FEND: DNSSEC validation and DNS-rebinding guarding realise DNS Traffic Analysis and Resolution-Trust enforcement (countering T1071.004/T1557); DANE/TLSA and mTLS CA pinning realise Certificate Pinning and Public Key Infrastructure validation (countering T1557 mis-issuance); authenticated time (NTS) realises System Time Integrity (countering clock-shift cert/TOTP abuse); RFC 9421 message-signature verification realises Message Authentication (countering T1556). Pair DANE with DNSSEC (TLSA without DNSSEC is meaningless) and treat the clock as a security input. The residual risk after validation is compromise of the trust anchor itself (signing key, pinned CA, time authority), addressed by key-management and monitoring, accepted at the CISO level.