Slashdot Mirror

← Back to Stories (view on slashdot.org)

EFF Announces STARTTLS Everywhere To Help Make Email Delivery More Secure (betanews.com)

Posted by msmash on from the step-in-the-right-direction dept.

Mark Wilson writes: When it comes to messaging tools, people have started to show greater interest in whether encryption is used for security, and the same for websites -- but not so much with email. Thanks to the work of the Electronic Frontier Foundation, however, email security is being placed at the top of the agenda. The privacy group today announces STARTTLS Everywhere, its new initiative to improve the security of the email ecosystem. STARTTLS is an addition to SMTP, and while it does not add end-to-end encryption, it does provide hop-to-hop encryption, which is very much a step in the right direction. In a blog post, EFF elaborates SMARTTLS for the uninitiated, and outlines how it worked around some of the tech's underlying challenges: There are two primary security models for email transmission: end-to-end, and hop-to-hop. Solutions like PGP and S/MIME were developed as end-to-end solutions for encrypted email, which ensure that only the intended recipient can decrypt and read a particular message. Unlike PGP and S/MIME, STARTTLS provides hop-to-hop encryption (TLS for email), not end-to-end. Without requiring configuration on the end-user's part, a mailserver with STARTTLS support can protect email from passive network eavesdroppers. For instance, network observers gobbling up worldwide information from Internet backbone access points (like the NSA or other governments) won't be able to see the contents of messages, and will need more targeted, low-volume methods. In addition, if you are using PGP or S/MIME to encrypt your emails, STARTTLS prevents metadata leakage (like the "Subject" line, which is often not encrypted by either standard) and can negotiate forward secrecy for your emails.

37 of 58 comments (clear)

  1. This doesn't help man-in-the-middle attacks by greenwow · · Score: 2

    Since you can just make it appear that TLS is unavailable.

    1. Re:This doesn't help man-in-the-middle attacks by crow · · Score: 4, Informative

      This raises the effort required from passive snooping to active interception. This is a good thing. This is an attempt to break mass surveillance.

    2. Re:This doesn't help man-in-the-middle attacks by Anonymous Coward · · Score: 1

      Apple could break mass surveillance at a stroke by integrating S/MIME certs into its AppleID generation process. They could automate the S/MIME cert issuance process (even letting the user pick a certification agency) and then use what's already baked-in to macOS and iOS to automagically attempt to encrypt all mail. Apple has a knack for simplifying things to the point your mother could use it without worry: they could make a huge swath of the e-mail ecosystem suddenly very time-consuming for the NSA.

    3. Re:This doesn't help man-in-the-middle attacks by EndlessNameless · · Score: 1

      This is a good thing. This is an attempt to break mass surveillance.

      No, it's stupid.

      Doing SMTP over TLS was effective. If TLS support isn't widespread, that is what should be fixed.

      Why are we wasting time implementing an optional standard that is weaker---and completely vulnerable to MITM attacks?

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    4. Re:This doesn't help man-in-the-middle attacks by KiloByte · · Score: 5, Informative

      Solved with DNSSEC+DANE, which for SMTP actually sees some deployment, unlike HTTPS, where anyone who can control one of 400+ CAs, which includes every government and big enough organized crime organization, can produce validly signed certs. With DNSSEC, you'd need to take over either the registrar or TLD -- unlike the CA model, the specific registrar your target uses rather than any of them.

      If you try to man-in-the-middle DNSSEC, all you get is a failure to deliver the mail. Which any properly configured server (ie, not Gmail) will report to the sender.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    5. Re:This doesn't help man-in-the-middle attacks by F.Ultra · · Score: 2

      Because e.g with STARTTLS you can make a quick connect to the SMTP port, upgrade to TLS if the other end-point supports it (and optionally disconnect if it doesn't) while with explicit TLS you have to first make a connection attempt to port 465 which can be a latency killer if there is no one listening and the RST is filtered by corporate FW.

      Also explicit TLS can be disabled at corporation due to clueless IT that doesn't want to open another port so here a simple upgrade of $SMTPD introduces TLS support where it otherwise would be disabled.

      Yes this opens for MiTM but if the default (and I assume that it is) for TLS enabled servers to try TLS first and then fallback to plaintext SMTP then they are also susceptible to the very same MiTM. A STARTTLS implementation does not have to susceptible to MiTM since it can drop the connection if the other end-point does not say that it supports TLS in the server EHLO.

    6. Re:This doesn't help man-in-the-middle attacks by Anonymous Coward · · Score: 1

      This raises the effort required from passive snooping to active interception. This is a good thing. This is an attempt to break mass surveillance.

      It doesn't raise the effort at all. Most ISPs are already using Cisco PIX-like appliances that intercept SMTP traffic on tcp/25 and filter out the STARTTLS keyword from the SMTP server's Greeting response. They are then free to log the rest of the SMTP conversation and/or pipe it through to their favourite 3-letter agency.

      The only way this effort is going to make any traction is if mail clients start requiring STARTTLS by default - and that users are educated enough to take their ISPs to task for attempting to intercept their private communications.

    7. Re:This doesn't help man-in-the-middle attacks by F.Ultra · · Score: 1

      try to send say 100k mails in a day from a corporate smtp server with the added latency of several seconds timeout to see if the explicit TSL port is open and get back to me how well that worked out for you.

    8. Re:This doesn't help man-in-the-middle attacks by HermMunster · · Score: 1

      We might think this is an issue for Google or the other big email aggregators, and we might see it somewhat an issue for big corporate, and there's a slight possibility it will affect moderately sized entities, but for the majority which is what we really should be considering that's not an issue.

      --
      You can lead a man with reason but you can't make him think.
    9. Re:This doesn't help man-in-the-middle attacks by HermMunster · · Score: 1

      I'm being facetious but...do you mean there are sites that are passing email over port 25 instead of using tls over port 465? Yeah I've heard that 465 isn't a standard and was used briefly but it does work. Starttls on port 587 works but I'd like to see a mandate where everyone is force to use tls.

      --
      You can lead a man with reason but you can't make him think.
    10. Re:This doesn't help man-in-the-middle attacks by F.Ultra · · Score: 1

      But how many of those single-mail-per-day users are running their own smtp server? I'm fully aware that I'm biased here and that anecdotal evidence is no evidence but where I work people treat e-mails like instant messages, e.g if you don't reply in a few seconds on some matters people are sending more to ask WTF you are up to.

  2. This is weak. by fisted · · Score: 4, Insightful

    STARTTLS means upgrading an existing plaintext connection to TLS. Mail servers announce (upon EHLO) what features they support, "starttls" can be one of those. When no "starttls" is advertised, the client will not upgrade and keep using the plaintext connection.

    Now, connection security only matters if someone has the ability to listen in to the connection. If someone can listen in, they likely can modify the traffic as well. So here's how to break STARTTLS: Remove the 'starttls' capability from the MTA's EHLO response. Done.

    The correct solution would be to unconditionally run SMTP-over-TLS (SMTPS) on a dedicated-for-that port (as is already common practice) and remove the plaintext listener if feasible.

    To repurpose a quote about OCSP: "STARTTLS is like a seat belt that always works, except when you're having an accident."

    --
    CLI paste? paste.pr0.tips!
    1. Re:This is weak. by Anonymous Coward · · Score: 3, Interesting

      The solution needs more than that because most mail servers are using self-signed certificates. There is no chain of authority or anything. That means you basically have to trust any certificate. So a man in the middle could easily use their own certificate and your server wouldn't even notice.

    2. Re:This is weak. by KiloByte · · Score: 1

      That's trivially avoidable by man-in-the-middle -- the attacker will kindly accept unencrypted connections to you, and upgrade to TLS for the second hop.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    3. Re:This is weak. by vux984 · · Score: 1

      I'm not sure if removing the plaintext listener solves the issue, since the MITM operator has prevented you from reaching it anyway.

      I wonder if this is something that can be dealt with by an extension to SPF. Where if you advertise STARTTLS then servers can check that, and refuse to deliver to your MX host if STARTTLS is not actually available when they try to connect.

      Of course that requires that the DNS also be signed/secure. :) But with that in place MITM would be a lot harder.

    4. Re:This is weak. by GreyFish · · Score: 2

      The presence of a DNSSEC signed DANE/TLSA record for the mail server indicates to other MTA's that the server only does STARTTLS - if STARTTLS is missing from the SMTP dialogue then the other MTA's will refuse to send. Support is available in postfix and exim etc...

    5. Re:This is weak. by bill_mcgonigle · · Score: 2

      When no "starttls" is advertised, the client will not upgrade and keep using the plaintext connection.

      That's completely up to the client. Where it matters I have mine configured to stop if STARTTLS isn't successful.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    6. Re:This is weak. by fisted · · Score: 1

      While this isn't far-fetched, at least it would require the client or MTA to ignore a failed TLS handshake. With certificate pinning, it's about as good (or bad) as what SSH does (learning a host key on first use, later complaining if it changes)

      --
      CLI paste? paste.pr0.tips!
    7. Re:This is weak. by fisted · · Score: 1

      So what's the difference between unconditional STARTTLS and SMTPS, other than the former opening up a brief opportunity for a MITM to mess with the connection?

      --
      CLI paste? paste.pr0.tips!
    8. Re:This is weak. by fisted · · Score: 1

      Ok, but Joe Sixpack doesn't.

      Plus this is hop-to-hop, you only get to control whether or not to talk to the first hop, after than all bets are off. Let's hope all MTAs in the chain are configured the same way?

      --
      CLI paste? paste.pr0.tips!
  3. I applaud the EFF for enforcing strong security by Anonymous Coward · · Score: 1

    See subject: Finally we get STARTTLS and hop-to-hop encryption technology.

    Safety at last.

    APK

    P.S.: EFF all the way! ...apk

    1. Re:I applaud the EFF for enforcing strong security by Rockoon · · Score: 1

      I am wondering why the EFF doesnt host free unspied upon best practices email for anyone that wants. The cost of doing that has only grown smaller and smaller over the decades.

      --
      "His name was James Damore."
  4. Hosts Files by 110010001000 · · Score: 1, Funny

    Another layer to use is to add support for Hosts Files. There is a Host File engine that I recommend that is fast and secure.

    1. Re:Hosts Files by Anonymous Coward · · Score: 1

      Too late, he's already been summoned.

  5. Kill it with fire by shellster_dude · · Score: 2

    In 2018 we should be putting a bullet through the head of unencrypted SMTP and insecure protocols like STARTTLS. I've been running my mail server only allowing secure SMTP over TLS with medium grade ciphers or better, and IMAPS (and only allowing email sending if over secure connection). I've yet to run into issues in the last two years. The only problem is that some people's mail servers keep groping my box for port 25 first, instead of just trying SMTP/TLS and then failing if it can't. For the few devices I have that can't handle SMTP over TLS, I either replace them, or when I can't, I run them over a VPN, and whitelist their IP.

    1. Re:Kill it with fire by Anonymous Coward · · Score: 1

      > I've been running my mail server only allowing secure SMTP over TLS with medium grade ciphers or better,
      > and IMAPS (and only allowing email sending if over secure connection).
      > I've yet to run into issues in the last two years.

      You must not be sending/receiving much mail then! About half of providers in my case, especially newsletter mailers, do not support any of it and all such mails bounce. Then you get the 'Your email doesn't work' infos via other channels, even though it's their provider with a crappy mail setup.
      Hence the EFF has the right idea. Develop the eco-system, then an upgrade to mandatory becomes viable.

      Fuck all the idiots with their constant 'I know better's'! Not that they're necessarily incorrect, but that drivel has kept any reasonable safety mechanism at bay for decades now by scaring people off at the very beginning. Remember the PGP debates? And look how many people use it today...epic success for the Nay-sayers!

  6. STARTTLS has been SOP for years by Anonymous Coward · · Score: 1

    STARTTLS has been standard operating procedure since we found out the NSA was a bad actor ten years ago. It's a central feature of every mail transfer agent. Other than spam most email uses it, and has for a long long time.

  7. hop-to-nsa-to-hop encryption - fixed that for you by kiviQr · · Score: 1

    hop-to-nsa-to-hop encryption - why do half steps?

  8. this is good enough for most people by Anonymous Coward · · Score: 1

    Now, connection security only matters if someone has the ability to listen in to the connection. If someone can listen in, they likely can modify the traffic as well. So here's how to break STARTTLS: Remove the 'starttls' capability from the MTA's EHLO response. Done.

    Except that currently, with completely clear-text SMTP transactions, surveillance departments can tap glass and do a wholesale capture of all e-mail traffic over a network hop.

    If, however, everyone starts using STARTTLS then the three-letter agencies have to start expending resources to MITM all those various connections. This is much more difficult than simply slurping up bits.

    For most people this is good enough. If you're on the government's radar chances are you're fucked when it comes to being monitoring, but by scrambling all traffic at least innocent people aren't caught in the cross fire of governments monitoring for nefarious activities.

    The choice is not: 0% security for everyone (plain SMTP) or 100% security for everyone (S/MIME, PGP). Opportunistic encryption is on the sliding scale of giving many people 10/20/40/80/whatever-percent security, all of which is better than 0.

    Perfect is the enemy of good (enough).

    1. Re:this is good enough for most people by fisted · · Score: 1

      Except that currently, with completely clear-text SMTP transactions, surveillance departments can tap glass and do a wholesale capture of all e-mail traffic over a network hop.

      If, however, everyone starts using STARTTLS then the three-letter agencies have to start expending resources to MITM all those various connections. This is much more difficult than simply slurping up bits.

      Yes, good point.

      The choice is not: 0% security for everyone (plain SMTP) or 100% security for everyone (S/MIME, PGP). Opportunistic encryption is on the sliding scale of giving many people 10/20/40/80/whatever-percent security, all of which is better than 0.

      Sure. But keep in mind this is just an EFF recommendation, as far as I understand it. So in and by itself, it doesn't make anybody enable anything. Since this is still dependent on admins (and MUA developers) taking action, they might as well have recommended to go for unconditional SMTPS instead of STARTTLS.

      Re your follow up comment, I fail to see how "You have to use STARTTLS with this MTA" is any different (except in that it still allows a MITM to briefly mess with the connection) from SMTPS...

      Perfect is the enemy of good (enough).

      The problem is that "good enough" isn't necessarily good enough, because the people who define what's good enough may be mistaken.

      --
      CLI paste? paste.pr0.tips!
  9. Yes, of course by bferrell · · Score: 1

    We want an ecosystem that encourages and allows choice... and then decide to force certain choices down you your throat.

    wait... what?!

    In general, I support the EFF. When this sort of fundamentalist thinking mode takes hold, the end is NEVER good, no matter how well intentioned.

  10. If sponsoring Let's Encrypt means selling certs by tepples · · Score: 1

    Is the EFF trying to sell certificates now?

    Not quite, but Electronic Frontier Foundation is sponsoring the Let's Encrypt CA. In addition, many of the same companies sponsor both EFF (source) and LE (source). Fastly and DigitalOcean, for example, sponsor both organizations.

    once negotiated it prevent interception of the message being TRANSPORTED over the network. In order to do this self-signed certificates are perfectly adequate.

    "Negotiation" of a TLS connection includes the client accepting the certificate that the server presents. This is fine over a LAN, as (say) a printer can write the fingerprint of its self-signed certificate to paper in text and QR code form, or a home server appliance can use a composite, VGA, or HDMI output or a built-in status LCD to display the fingerprint. But it's less fine at Internet scale unless there's some convenient means of out-of-band communication between the operators of the client and the server. How would it be practical for every MTA operator to verify every other MTA's self-signed certificate through out-of-band communication?

    1. Re:If sponsoring Let's Encrypt means selling certs by marka63 · · Score: 1

      See RFC 6698, The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA

      This is a solved problem. You just need to use the solution.

  11. junk by Khashishi · · Score: 1

    What's the point of a half-assed solution when a full ass exists? This will only serve to marginalize full end-to-end encryption. Did NSA pay for this one?

    1. Re:junk by geoff_smith82 · · Score: 1

      Na this still helps. Even with fully encrypted email there would still be a lot of meta data that could be monitored without accessing the mail servers. This will cut that down. I'm sure the eff would be interested in the end to end encryption eventually as well.

  12. DNSSEC is an upsell at some popular registrars by tepples · · Score: 1

    DANE requires DNSSEC, and adoption of DNSSEC requires domain name registrars and DNS zone hosts to make it cheap and easy. Right now many don't. For example, last I checked, GoDaddy considered DNSSEC to be a "premium" feature not included in the zone hosting bundled with registration. I'd assume this is to discourage use of DANE in favor of GoDaddy's CA, but I'm interested in defenses of why this is mere incompetence on GoDaddy's part.

  13. If only... by Agripa · · Score: 1

    If only there was a unified protocol for creating encrypted sessions between systems for all IP packets.