One of the things that's annoyed me is that even if both sides support STARTTLS, you can't easily tell if any given email has been transferred securely.
It looks like some big names (but not IBM) have picked up this banner recently and put in a draft to the IETF to address this:
This means that STARTTLS connections are vulnerable to man-in-the-middle attacks, where a hacker in a position to intercept the traffic could present the email sender with any certificate, even a self-signed one, and it will be accepted, allowing for the traffic to be decrypted. Furthermore, STARTTLS connections are vulnerable to so-called encryption downgrade attacks, where the encryption is simply removed.
The newly proposed SMTP Strict Transport Security (SMTP STS) addresses both of those issues. It gives email providers the means to inform connecting clients that TLS is available and should be used. It also tells them how the presented certificate should be validated and what should happen if a TLS connection cannot be safely negotiated.
These SMTP STS policies are defined through special DNS records added to the email server's domain name. The protocol provides mechanisms for clients to automatically validate these policies and to report back on any failures.
IETF group proposes better SMTP hardening to secure email. At last
Google, Microsoft, Yahoo, and others publish new email security standard
Craig Wiseman March 22nd, 2016 08:43:17 PM
Discussion for this entry is now closed.