EFF Announces STARTTLS Everywhere To Help Make Email Delivery More Secure

Mark Wilson writes: When it comes to messaging tools, people have started to show greater interest in whether encryption is used for security, and the same for websites -- but not so much with email. Thanks to the work of the Electronic Frontier Foundation, however, email security is being placed at the top of the agenda. The privacy group today announces STARTTLS Everywhere, its new initiative to improve the security of the email ecosystem. STARTTLS is an addition to SMTP, and while it does not add end-to-end encryption, it does provide hop-to-hop encryption, which is very much a step in the right direction. In a blog post, EFF elaborates SMARTTLS for the uninitiated, and outlines how it worked around some of the tech's underlying challenges: There are two primary security models for email transmission: end-to-end, and hop-to-hop. Solutions like PGP and S/MIME were developed as end-to-end solutions for encrypted email, which ensure that only the intended recipient can decrypt and read a particular message. Unlike PGP and S/MIME, STARTTLS provides hop-to-hop encryption (TLS for email), not end-to-end. Without requiring configuration on the end-user's part, a mailserver with STARTTLS support can protect email from passive network eavesdroppers. For instance, network observers gobbling up worldwide information from Internet backbone access points (like the NSA or other governments) won't be able to see the contents of messages, and will need more targeted, low-volume methods. In addition, if you are using PGP or S/MIME to encrypt your emails, STARTTLS prevents metadata leakage (like the "Subject" line, which is often not encrypted by either standard) and can negotiate forward secrecy for your emails.

This doesn't help man-in-the-middle attacks

[greenwow]

Since you can just make it appear that TLS is unavailable.

Re:This doesn't help man-in-the-middle attacks

[crow]

This raises the effort required from passive snooping to active interception. This is a good thing. This is an attempt to break mass surveillance.

Re:This doesn't help man-in-the-middle attacks

Apple could break mass surveillance at a stroke by integrating S/MIME certs into its AppleID generation process. They could automate the S/MIME cert issuance process (even letting the user pick a certification agency) and then use what's already baked-in to macOS and iOS to automagically attempt to encrypt all mail. Apple has a knack for simplifying things to the point your mother could use it without worry: they could make a huge swath of the e-mail ecosystem suddenly very time-consuming for the NSA.

Re:This doesn't help man-in-the-middle attacks

Yeah no shit Sherlock.

Re:This doesn't help man-in-the-middle attacks

[EndlessNameless]

This is a good thing. This is an attempt to break mass surveillance.

No, it's stupid.

Doing SMTP over TLS was effective. If TLS support isn't widespread, that is what should be fixed.

Why are we wasting time implementing an optional standard that is weaker---and completely vulnerable to MITM attacks?

Re:This doesn't help man-in-the-middle attacks

[KiloByte]

Solved with DNSSEC+DANE, which for SMTP actually sees some deployment, unlike HTTPS, where anyone who can control one of 400+ CAs, which includes every government and big enough organized crime organization, can produce validly signed certs. With DNSSEC, you'd need to take over either the registrar or TLD -- unlike the CA model, the specific registrar your target uses rather than any of them.

If you try to man-in-the-middle DNSSEC, all you get is a failure to deliver the mail. Which any properly configured server (ie, not Gmail) will report to the sender.

Re:This doesn't help man-in-the-middle attacks

[F.Ultra]

Because e.g with STARTTLS you can make a quick connect to the SMTP port, upgrade to TLS if the other end-point supports it (and optionally disconnect if it doesn't) while with explicit TLS you have to first make a connection attempt to port 465 which can be a latency killer if there is no one listening and the RST is filtered by corporate FW.

Also explicit TLS can be disabled at corporation due to clueless IT that doesn't want to open another port so here a simple upgrade of $SMTPD introduces TLS support where it otherwise would be disabled.

Yes this opens for MiTM but if the default (and I assume that it is) for TLS enabled servers to try TLS first and then fallback to plaintext SMTP then they are also susceptible to the very same MiTM. A STARTTLS implementation does not have to susceptible to MiTM since it can drop the connection if the other end-point does not say that it supports TLS in the server EHLO.

Re:This doesn't help man-in-the-middle attacks

This raises the effort required from passive snooping to active interception. This is a good thing. This is an attempt to break mass surveillance.

It doesn't raise the effort at all. Most ISPs are already using Cisco PIX-like appliances that intercept SMTP traffic on tcp/25 and filter out the STARTTLS keyword from the SMTP server's Greeting response. They are then free to log the rest of the SMTP conversation and/or pipe it through to their favourite 3-letter agency.

The only way this effort is going to make any traction is if mail clients start requiring STARTTLS by default - and that users are educated enough to take their ISPs to task for attempting to intercept their private communications.

Re:This doesn't help man-in-the-middle attacks

it helps.
you can TOFU and then pin down the certificate fingerprint of every inbound and outbound connection.
you can refuse all non-TLS (1.3, or 1.2 at minimum) connections.
you can start a CA file from zero, building as needed as you go, instead of having the fucking world in there.

Re:This doesn't help man-in-the-middle attacks

It's email. No one cares about latency.

Re:This doesn't help man-in-the-middle attacks

[F.Ultra]

try to send say 100k mails in a day from a corporate smtp server with the added latency of several seconds timeout to see if the explicit TSL port is open and get back to me how well that worked out for you.

Re:This doesn't help man-in-the-middle attacks

[HermMunster]

We might think this is an issue for Google or the other big email aggregators, and we might see it somewhat an issue for big corporate, and there's a slight possibility it will affect moderately sized entities, but for the majority which is what we really should be considering that's not an issue.

Re:This doesn't help man-in-the-middle attacks

[HermMunster]

I'm being facetious but...do you mean there are sites that are passing email over port 25 instead of using tls over port 465? Yeah I've heard that 465 isn't a standard and was used briefly but it does work. Starttls on port 587 works but I'd like to see a mandate where everyone is force to use tls.

Re:This doesn't help man-in-the-middle attacks

[F.Ultra]

But how many of those single-mail-per-day users are running their own smtp server? I'm fully aware that I'm biased here and that anecdotal evidence is no evidence but where I work people treat e-mails like instant messages, e.g if you don't reply in a few seconds on some matters people are sending more to ask WTF you are up to.

This is weak.

[fisted]

STARTTLS means upgrading an existing plaintext connection to TLS. Mail servers announce (upon EHLO) what features they support, "starttls" can be one of those. When no "starttls" is advertised, the client will not upgrade and keep using the plaintext connection.

Now, connection security only matters if someone has the ability to listen in to the connection. If someone can listen in, they likely can modify the traffic as well. So here's how to break STARTTLS: Remove the 'starttls' capability from the MTA's EHLO response. Done.

The correct solution would be to unconditionally run SMTP-over-TLS (SMTPS) on a dedicated-for-that port (as is already common practice) and remove the plaintext listener if feasible.

To repurpose a quote about OCSP: "STARTTLS is like a seat belt that always works, except when you're having an accident."

Re:This is weak.

The solution needs more than that because most mail servers are using self-signed certificates. There is no chain of authority or anything. That means you basically have to trust any certificate. So a man in the middle could easily use their own certificate and your server wouldn't even notice.

Re:This is weak.

[KiloByte]

That's trivially avoidable by man-in-the-middle -- the attacker will kindly accept unencrypted connections to you, and upgrade to TLS for the second hop.

Re:This is weak.

[vux984]

I'm not sure if removing the plaintext listener solves the issue, since the MITM operator has prevented you from reaching it anyway.

I wonder if this is something that can be dealt with by an extension to SPF. Where if you advertise STARTTLS then servers can check that, and refuse to deliver to your MX host if STARTTLS is not actually available when they try to connect.

Of course that requires that the DNS also be signed/secure. :) But with that in place MITM would be a lot harder.

Re:This is weak.

[GreyFish]

The presence of a DNSSEC signed DANE/TLSA record for the mail server indicates to other MTA's that the server only does STARTTLS - if STARTTLS is missing from the SMTP dialogue then the other MTA's will refuse to send. Support is available in postfix and exim etc...

Re:This is weak.

[bill_mcgonigle]

When no "starttls" is advertised, the client will not upgrade and keep using the plaintext connection.

That's completely up to the client. Where it matters I have mine configured to stop if STARTTLS isn't successful.

Re:This is weak.

[fisted]

While this isn't far-fetched, at least it would require the client or MTA to ignore a failed TLS handshake. With certificate pinning, it's about as good (or bad) as what SSH does (learning a host key on first use, later complaining if it changes)

Re:This is weak.

[fisted]

So what's the difference between unconditional STARTTLS and SMTPS, other than the former opening up a brief opportunity for a MITM to mess with the connection?

Re:This is weak.

[fisted]

Ok, but Joe Sixpack doesn't.

Plus this is hop-to-hop, you only get to control whether or not to talk to the first hop, after than all bets are off. Let's hope all MTAs in the chain are configured the same way?

I applaud the EFF for enforcing strong security

See subject: Finally we get STARTTLS and hop-to-hop encryption technology.

Safety at last.

APK

P.S.: EFF all the way! ...apk

Re:I applaud the EFF for enforcing strong security

[Rockoon]

I am wondering why the EFF doesnt host free unspied upon best practices email for anyone that wants. The cost of doing that has only grown smaller and smaller over the decades.

It's so secure, it's SMART(TLS)

nt

--sf

Hosts Files

[110010001000]

Another layer to use is to add support for Hosts Files. There is a Host File engine that I recommend that is fast and secure.

Re:Hosts Files

Too late, he's already been summoned.

Re:Hosts Files

my hosts file is bigger than his.

and yours.

makes the web so nice

Re:Hosts Files

shut up you fat retard.

Re:Hosts Files

I thought that Host File engine was just small.

Kill it with fire

[shellster_dude]

In 2018 we should be putting a bullet through the head of unencrypted SMTP and insecure protocols like STARTTLS. I've been running my mail server only allowing secure SMTP over TLS with medium grade ciphers or better, and IMAPS (and only allowing email sending if over secure connection). I've yet to run into issues in the last two years. The only problem is that some people's mail servers keep groping my box for port 25 first, instead of just trying SMTP/TLS and then failing if it can't. For the few devices I have that can't handle SMTP over TLS, I either replace them, or when I can't, I run them over a VPN, and whitelist their IP.

Re:Kill it with fire

> I've been running my mail server only allowing secure SMTP over TLS with medium grade ciphers or better,
> and IMAPS (and only allowing email sending if over secure connection).
> I've yet to run into issues in the last two years.

You must not be sending/receiving much mail then! About half of providers in my case, especially newsletter mailers, do not support any of it and all such mails bounce. Then you get the 'Your email doesn't work' infos via other channels, even though it's their provider with a crappy mail setup.
Hence the EFF has the right idea. Develop the eco-system, then an upgrade to mandatory becomes viable.

Fuck all the idiots with their constant 'I know better's'! Not that they're necessarily incorrect, but that drivel has kept any reasonable safety mechanism at bay for decades now by scaring people off at the very beginning. Remember the PGP debates? And look how many people use it today...epic success for the Nay-sayers!

STARTTLS has been SOP for years

STARTTLS has been standard operating procedure since we found out the NSA was a bad actor ten years ago. It's a central feature of every mail transfer agent. Other than spam most email uses it, and has for a long long time.

hop-to-nsa-to-hop encryption - fixed that for you

[kiviQr]

hop-to-nsa-to-hop encryption - why do half steps?

this is good enough for most people

Now, connection security only matters if someone has the ability to listen in to the connection. If someone can listen in, they likely can modify the traffic as well. So here's how to break STARTTLS: Remove the 'starttls' capability from the MTA's EHLO response. Done.

Except that currently, with completely clear-text SMTP transactions, surveillance departments can tap glass and do a wholesale capture of all e-mail traffic over a network hop.

If, however, everyone starts using STARTTLS then the three-letter agencies have to start expending resources to MITM all those various connections. This is much more difficult than simply slurping up bits.

For most people this is good enough. If you're on the government's radar chances are you're fucked when it comes to being monitoring, but by scrambling all traffic at least innocent people aren't caught in the cross fire of governments monitoring for nefarious activities.

The choice is not: 0% security for everyone (plain SMTP) or 100% security for everyone (S/MIME, PGP). Opportunistic encryption is on the sliding scale of giving many people 10/20/40/80/whatever-percent security, all of which is better than 0.

Perfect is the enemy of good (enough).

Re:this is good enough for most people

[fisted]

Except that currently, with completely clear-text SMTP transactions, surveillance departments can tap glass and do a wholesale capture of all e-mail traffic over a network hop.

If, however, everyone starts using STARTTLS then the three-letter agencies have to start expending resources to MITM all those various connections. This is much more difficult than simply slurping up bits.

Yes, good point.

The choice is not: 0% security for everyone (plain SMTP) or 100% security for everyone (S/MIME, PGP). Opportunistic encryption is on the sliding scale of giving many people 10/20/40/80/whatever-percent security, all of which is better than 0.

Sure. But keep in mind this is just an EFF recommendation, as far as I understand it. So in and by itself, it doesn't make anybody enable anything. Since this is still dependent on admins (and MUA developers) taking action, they might as well have recommended to go for unconditional SMTPS instead of STARTTLS.

Re your follow up comment, I fail to see how "You have to use STARTTLS with this MTA" is any different (except in that it still allows a MITM to briefly mess with the connection) from SMTPS...

Perfect is the enemy of good (enough).

The problem is that "good enough" isn't necessarily good enough, because the people who define what's good enough may be mistaken.

Re:hop-to-nsa-to-hop encryption - fixed that for y

Yeah, this is better than a kick in the shin, but I was hoping this was talking about a way to actually tackle email encryption.

MTA Strict Transport Security: force SMTP TLS

In addition to my above comment, the IETF is working on SMTP MTA Strict Transport Security (MTA-STS):

SMTP Mail Transfer Agent Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections, and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate.

* https://tools.ietf.org/html/draft-ietf-uta-mta-sts

So even if someone tries to MITM, the the sending MTA knows it should send over TLS and will refused to be fooled.

Re:MTA Strict Transport Security: force SMTP TLS

Almost ever MTA I have seen in the past decade has this capability, as well as the capability for "opportunistic" transport encryption, already available. All it needs is to be enabled.

Yes, of course

[bferrell]

We want an ecosystem that encourages and allows choice... and then decide to force certain choices down you your throat.

wait... what?!

In general, I support the EFF. When this sort of fundamentalist thinking mode takes hold, the end is NEVER good, no matter how well intentioned.

Re:hop-to-nsa-to-hop encryption - fixed that for y

hop-to-nsa-to-hop encryption - why do half steps?

You're only half joking, but any bad actor with the ability to modify your DNS zone can publish a MX record with higher priority (lower MX score) than your primary MX. Their fake MX can easily just forward to the real MX and the target would be largely no wiser.

Doesn't require that the attacker gets MITM on the direct path to your MX, doesn't require fake certificates because their fake MX has a real hostname - letsencrypt will happily provide it valid certs. For most targets, very low chance of being caught out - who checks their MX logs to ensure a good distribution of source IPs and who regularly checks their DNS zone for accuracy?

It's the kind of attack that a nation state could pull off against a user in a different nation state so long as the DNS registrar does business in both states and I wouldn't be surprised to learn it's already been done.

TLS = Transport Layer Security

STARTTLS is Start Transport Layer Security. It is not an "authentication" protocol, merely an encryption protocol. Is the EFF trying to sell certificates now?

TLS with self-signed certificates is perfectly adequate and does exactly that which it portends doing, provide "TRANSPORT LAYER SECURITY". That is, once negotiated it prevent interception of the message being TRANSPORTED over the network. In order to do this self-signed certificates are perfectly adequate.

Re: I applaud the EFF for enforcing strong securit

Because cost can never go as low as it needs to provide a free service.

A testimony as to why Slashdot is now crap

This post about a groundbreaking tech innovation has less than 40 comments while some loony posting about Trump and Russia garbage or 'global warming' gets hundreds of garbage.

If sponsoring Let's Encrypt means selling certs

[tepples]

Is the EFF trying to sell certificates now?

Not quite, but Electronic Frontier Foundation is sponsoring the Let's Encrypt CA. In addition, many of the same companies sponsor both EFF (source) and LE (source). Fastly and DigitalOcean, for example, sponsor both organizations.

once negotiated it prevent interception of the message being TRANSPORTED over the network. In order to do this self-signed certificates are perfectly adequate.

"Negotiation" of a TLS connection includes the client accepting the certificate that the server presents. This is fine over a LAN, as (say) a printer can write the fingerprint of its self-signed certificate to paper in text and QR code form, or a home server appliance can use a composite, VGA, or HDMI output or a built-in status LCD to display the fingerprint. But it's less fine at Internet scale unless there's some convenient means of out-of-band communication between the operators of the client and the server. How would it be practical for every MTA operator to verify every other MTA's self-signed certificate through out-of-band communication?

Re:If sponsoring Let's Encrypt means selling certs

[marka63]

See RFC 6698, The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA

This is a solved problem. You just need to use the solution.

Email is so unsecure

I opened an account with the online bank Ally a few years ago. When I moved, I changed my address for my online account. But then to my surprise, Ally Bank held my money hostage until I proved that I was the one who logged into my account and changed my address!

In order to unlock my account (and my money), Ally Bank's customer "service" rep told me I would have to email a scan of my driver license or passport. I immediately responded, "NO!" I told him that was a very bad thing for any company to ask a customer to do, since email is unsecure, and it could expose my identity over the open Internet to identity thieves. The Ally Bank rep then assured me that Ally Bank's "email servers are very secure"!!!

WTF?

Ally Bank did not seem to realize that no matter how "secure" an email server may be, it is the transmission of emails unencrypted over the open Internet that was the extremely weakest link. I finally ended up sending Ally Bank a copy of my driver license through the postal mail. Then I closed my account with Ally Bank as fast as I could.

Moral: companies like Ally Bank do not realize that traditional email protocols themselves are unsecure, regardless of whether email servers (or clients) are secure.

junk

[Khashishi]

What's the point of a half-assed solution when a full ass exists? This will only serve to marginalize full end-to-end encryption. Did NSA pay for this one?

Re:junk

[geoff_smith82]

Na this still helps. Even with fully encrypted email there would still be a lot of meta data that could be monitored without accessing the mail servers. This will cut that down. I'm sure the eff would be interested in the end to end encryption eventually as well.

hop to hop vs end to end

STARTTLS is an addition to SMTP, and while it does not add end-to-end encryption, it does provide hop-to-hop encryption, which is very much a step in the right direction.

For anyone who thinks it's a step in the right direction, let me explain hop to hop encryption:

Hop to hop (STARTTLS) is like when you write a letter, put it in an envelope, and give it to the mailman. The mailman then takes the letter out of the envelope and reads it. Just before giving it to the recipient, the mailman puts the letter into a new envelope.

If the mailman delivering the mail is not the same mailman who collected it, the first mailman may or may not put the letter in yet another envelope that the second mailman will then take it out of.

If this seems stupid, you probably understood it.

End to end encryption is when you put the letter into an envelope and the mailman delivers the envelope with contents without opening it (as long as the encryption isn't broken, he can't open it).

Spy investigation

ARE YOU LOOKING FOR A ONLINE HACKERS, FRIENDS DARE. IF YOU NEED GENUINE AND PROFESSIONAL HACKING SERVICES CONTACT spymasterpro3x AT gmail dot com via the google mail address. They are professional group of hackers based on their worldwide clientele, Europe, Asia, United Arab Emirates, North America. They are the best hackers and software developers to penetrate any website, all other hackers get in touch with them to get the best Algorithm software. Their services are 100% guaranteed also with their penetration software impossible to track. spymasterpro3x atgmail dot com offer top notch hacking services.

Stupid Waste of Time

This is a stupid waste of time. It provides a false sense of security to clueless admins and especially to users and PHBs.

They need to work on end-to-end email encryption adoption. Hop-to-hop is pointless! Any hop can be inserted and you have no control over it. Email cannot ever be secure until the actual message is encrypted.

DNSSEC is an upsell at some popular registrars

[tepples]

DANE requires DNSSEC, and adoption of DNSSEC requires domain name registrars and DNS zone hosts to make it cheap and easy. Right now many don't. For example, last I checked, GoDaddy considered DNSSEC to be a "premium" feature not included in the zone hosting bundled with registration. I'd assume this is to discourage use of DANE in favor of GoDaddy's CA, but I'm interested in defenses of why this is mere incompetence on GoDaddy's part.

If only...

[Agripa]

If only there was a unified protocol for creating encrypted sessions between systems for all IP packets.