Why is STARTTLS used when it can be downgraded very easily?Why enable SMTP STARTTLS if OpenSSL is dangerous?Why don't very many HTTPS websites supply ownership information in their certs?Perfectly secure Postfix MTA (SMTP) configurationUsage of Ephemeral Diffie-Hellman ciphers in 2015 and beyondWhat to do when Google disables SSLv3 and RC4?How can I validate the authenticity of SSL certificates when Blue Coat is used?Can STARTTLS protect emails between two organisations?Is SSL/TLS pointless for IRC?
How do we know neutrons have no charge?
Neighbouring numbers summing to a prime
Is determiner 'a' needed in "one would call such a value a constant"?
Vilna Gaon's gematria for the number of kosher & non-kosher sukkot in Masechet Sukkah
What should I consider when deciding whether to delay an exam?
Can a passenger predict that an airline is about to go bankrupt?
As a team leader is it appropriate to bring in fundraiser candy?
How important are trig identities for Calculus
After viewing logs with journalctl, how do I exit the screen that says "lines 1-2/2 (END)"?
Assembly of PCBs containing a mix of SMT and thru-hole parts?
How JS split works on arabic plus english number strings?
Can I pay some of the cost of an activated ability lots of times to get more out of the effect?
Can you cure a Gorgon's Petrifying Breath before it finishes turning a target to stone?
How do I introduce dark themes?
Create the same subfolders in another folder
Is it ok if I haven't decided my research topic when I first meet with a potential phd advisor?
Why are the wings of some modern gliders tadpole shaped?
How to say "respectively" in German when listing (enumerating) things
Why do Russians sometimes spell "жирный" (fatty) as "жырный"?
What are one's options when facing religious discrimination at the airport?
Why would an airline put 15 passengers at once on standby?
Avoiding dust scattering when you drill
Fix Ethernet 10/100 PoE cable with 7 out of 8 wires alive
Beyond Futuristic Technology for an Alien Warship?
Why is STARTTLS used when it can be downgraded very easily?
Why enable SMTP STARTTLS if OpenSSL is dangerous?Why don't very many HTTPS websites supply ownership information in their certs?Perfectly secure Postfix MTA (SMTP) configurationUsage of Ephemeral Diffie-Hellman ciphers in 2015 and beyondWhat to do when Google disables SSLv3 and RC4?How can I validate the authenticity of SSL certificates when Blue Coat is used?Can STARTTLS protect emails between two organisations?Is SSL/TLS pointless for IRC?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
People are making a big fuss about how you absolutely have to disable SSLv3 because TLS can be downgraded to SSLv3 and there is barely a server left on the internet that speaks SSLv3.
At the same time, almost every mail server out there will happily support STARTTLS, which can be trivially (like: 3 lines of code or so) downgraded to plain text.
What am I missing?
tls starttls
asked 2 days ago
AndreKRAndreKR
2542 silver badges9 bronze badges
add a comment
|
People are making a big fuss about how you absolutely have to disable SSLv3 because TLS can be downgraded to SSLv3 and there is barely a server left on the internet that speaks SSLv3.
At the same time, almost every mail server out there will happily support STARTTLS, which can be trivially (like: 3 lines of code or so) downgraded to plain text.
What am I missing?
tls starttls
asked 2 days ago
AndreKRAndreKR
2542 silver badges9 bronze badges
Incidentally, the server speaking SSLv3 is not the primary issue. I've heard reasonable reports the downgrade can still happen if the client supports SSLv3 even if the server doesn't. In any case, if the client refuses to support SSLv3 the attack simply can't happen.
– Joshua
16 hours ago
I think the title could be improved to something like: "Why is STARTTLS used when it can be downgraded very easily?" What do you think, AndreKR, does that still reflect your question correctly? The current title sounds like starttls is outdated or deprecated and even had me confused for a minute.
– Luc
10 hours ago
@Luc Yes, that works too, changed it. What I actually meant is more like "Why is STARTTLS used and SSLv3 is not when both can be made insecure by downgrading?"
– AndreKR
18 mins ago
add a comment
|
People are making a big fuss about how you absolutely have to disable SSLv3 because TLS can be downgraded to SSLv3 and there is barely a server left on the internet that speaks SSLv3.
At the same time, almost every mail server out there will happily support STARTTLS, which can be trivially (like: 3 lines of code or so) downgraded to plain text.
What am I missing?
tls starttls
asked 2 days ago
AndreKRAndreKR
2542 silver badges9 bronze badges
People are making a big fuss about how you absolutely have to disable SSLv3 because TLS can be downgraded to SSLv3 and there is barely a server left on the internet that speaks SSLv3.
At the same time, almost every mail server out there will happily support STARTTLS, which can be trivially (like: 3 lines of code or so) downgraded to plain text.
What am I missing?
tls starttls
tls starttls
asked 2 days ago
AndreKRAndreKR
2542 silver badges9 bronze badges
asked 2 days ago
AndreKRAndreKR
2542 silver badges9 bronze badges
edited 19 mins ago
AndreKR
asked 2 days ago
AndreKRAndreKR
2542 silver badges9 bronze badges
asked 2 days ago
AndreKRAndreKR
2542 silver badges9 bronze badges
asked 2 days ago
AndreKRAndreKR
2542 silver badges9 bronze badges
2542 silver badges9 bronze badges
Incidentally, the server speaking SSLv3 is not the primary issue. I've heard reasonable reports the downgrade can still happen if the client supports SSLv3 even if the server doesn't. In any case, if the client refuses to support SSLv3 the attack simply can't happen.
– Joshua
16 hours ago
I think the title could be improved to something like: "Why is STARTTLS used when it can be downgraded very easily?" What do you think, AndreKR, does that still reflect your question correctly? The current title sounds like starttls is outdated or deprecated and even had me confused for a minute.
– Luc
10 hours ago
@Luc Yes, that works too, changed it. What I actually meant is more like "Why is STARTTLS used and SSLv3 is not when both can be made insecure by downgrading?"
– AndreKR
18 mins ago
add a comment
|
Incidentally, the server speaking SSLv3 is not the primary issue. I've heard reasonable reports the downgrade can still happen if the client supports SSLv3 even if the server doesn't. In any case, if the client refuses to support SSLv3 the attack simply can't happen.
– Joshua
16 hours ago
I think the title could be improved to something like: "Why is STARTTLS used when it can be downgraded very easily?" What do you think, AndreKR, does that still reflect your question correctly? The current title sounds like starttls is outdated or deprecated and even had me confused for a minute.
– Luc
10 hours ago
@Luc Yes, that works too, changed it. What I actually meant is more like "Why is STARTTLS used and SSLv3 is not when both can be made insecure by downgrading?"
– AndreKR
18 mins ago
Incidentally, the server speaking SSLv3 is not the primary issue. I've heard reasonable reports the downgrade can still happen if the client supports SSLv3 even if the server doesn't. In any case, if the client refuses to support SSLv3 the attack simply can't happen.
– Joshua
16 hours ago
Incidentally, the server speaking SSLv3 is not the primary issue. I've heard reasonable reports the downgrade can still happen if the client supports SSLv3 even if the server doesn't. In any case, if the client refuses to support SSLv3 the attack simply can't happen.
– Joshua
16 hours ago
I think the title could be improved to something like: "Why is STARTTLS used when it can be downgraded very easily?" What do you think, AndreKR, does that still reflect your question correctly? The current title sounds like starttls is outdated or deprecated and even had me confused for a minute.
– Luc
10 hours ago
I think the title could be improved to something like: "Why is STARTTLS used when it can be downgraded very easily?" What do you think, AndreKR, does that still reflect your question correctly? The current title sounds like starttls is outdated or deprecated and even had me confused for a minute.
– Luc
10 hours ago
@Luc Yes, that works too, changed it. What I actually meant is more like "Why is STARTTLS used and SSLv3 is not when both can be made insecure by downgrading?"
– AndreKR
18 mins ago
@Luc Yes, that works too, changed it. What I actually meant is more like "Why is STARTTLS used and SSLv3 is not when both can be made insecure by downgrading?"
– AndreKR
18 mins ago
add a comment
|
2 Answers
2
active
oldest
votes
The problem you describe is not the use of STARTTLS by itself but the optional use of STARTTLS. Mail systems can be setup so that TLS is required in which case the mail will not be delivered if STARTTLS will fail or if the peer does not offer support for STARTTLS in EHLO. Required STARTTLS is is as safe as required TLS from start.
The reason STARTTLS is not mandatory in most setups is because there are still enough systems out there which don't support TLS. The current transparency report from Google shows only 90% of all mails delivered from Google by TLS, which means that 10% of the mails are delivered to an MTA which does not support TLS.
Apart from that even with mandatory TLS the mail is not delivered in a sufficiently secure way. TLS is only used between the various hops during mail delivery and does not provide the end-to-end security which TLS provides in HTTPS. This means every mail server on the path has access to the plain text of the mail and can read and modify it, unless the mail is additionally protected with end-to-end protections like PGP or S/MIME.
answered 2 days ago
Steffen UllrichSteffen Ullrich
131k17 gold badges237 silver badges303 bronze badges
2
"The reason STARTTLS is not mandatory in most setups is because there are still enough systems out there [10%] which don't support TLS." - On the other hand, both Chrome and Firefox have had no problems with 1) marking plain-HTTP website as insecure, 2) blocking broken ciphers and certificates using weak crypto, and 3) dropping untrustworthy Certificate Authorities. I think large e-mail providers could (and perhaps should) definitely make a push for TLS-requires e-mail, if they so desired.
– marcelm
2 days ago
27
@marcelm: The user experience with mail is very different from web. If a web site is insecure the user gets immediate feedback and can decide what to do (like temporarily ignore the warning). With mail the user gets immediate feedback only about delivery to the first hop (usually the MTA for the senders domain). Any delivery problems at the next hops only result in cryptic delivery status notification mails which most users don't really understand - often already because these DSN are in English no matter which language the sender speaks. And the sender has no way to force delivery anyway.
– Steffen Ullrich
2 days ago
7
@marcelm: "Another thing they could do is mark non-TLS-delivered messages in users' inboxes as "delivered insecurely" (much like browser non-HTTPS warnings)" - they can only offer reliable information about the last step of delivery (and gmail is actually doing this) but not about the previous hops (Receivedheader of the mail does not provide such information in a reliable way). "... run some statistics..." - they are doing this and these are linked from my answer. Use of TLS is actually growing as you can see when playing with the dates in the transparency report.
– Steffen Ullrich
2 days ago
3
@marcelm: Gmail for example does mark non-TLS mail delivery as insecure (red broken lock and all).
– grawity
yesterday
2
@SteffenUllrich I got my professional start doing SMTP admin 20 years ago, and I have yet to encounter a DSN that I would describe as "in English"!
– chrylis
yesterday
|
show 1 more comment
Downgrade attacks are active attacks.
Active attacks are much easier to detect, and are typically more difficult to perform, than their passive counterparts.
Opportunistic encryption, such as optional STARTTLS in SMTP, mainly protects against passive surveillance where traffic is undetectably either analyzed while in transit, or stored for later analysis. You are perfectly correct that opportunistic encryption doesn't protect against active attacks. Opportunistic encryption in general simply doesn't try to protect against an attack where the attacker is able and willing to modify the data in transit; that's outside its scope. Similarly, opportunistic STARTTLS doesn't protect against a rogue mail server passing the data on to a third party; that's outside its scope.
At least some SMTP servers (the rather popular Postfix being one of them) can be configured to require TLS when sending (or receiving) mail, either globally or manually on a per-MX basis for outgoing mail. When configured like that, if STARTTLS fails or is unavailable (regardless of the reason why that is the case), the SMTP session can be rejected, based on locally configured policy.
While active attacks certainly do happen, there is good reason to believe that passive traffic monitoring is widespread on today's Internet. Pervasive monitoring is an attack which often can, and certainly should where possible, be mitigated.
Therefore, even if opportunistic encryption does nothing whatsoever to protect against active attackers, it's a win because it prevents passive traffic monitoring and surveillance from learning more than necessary about the data being communicated. The same argument would apply to unauthenticated HTTPS as well, in that even though it wouldn't protect against every attack, it would still be an improvement over communicating entirely in the clear from a communications privacy point of view.
There's a standard, RFC 8461 SMTP MTA Strict Transport Security (MTA-STS), which can be used to specify that mail server traffic for a given domain requires TLS. That standard is still pretty new (the RFC is dated September 2018), so I would expect support for this to be spotty, but again, as long as everything is set up correctly, to publish a MTA-STS policy will, at worst, result in no improvement of communications privacy (because a MTA that does not implement MTA-STS will simply act as if no MTA-STS policy at all was published, while a MTA that does implement MTA-STS correctly will be able to take the published MTA-STS policy into account for policy decisions).
In addition, there is a standards track SMTP extension, REQUIRETLS, which can be used to specify that transport-layer security should be prioritized over message delivery.
Even though downgrade attacks are possible with purely opportunistic encryption, that doesn't mean that purely opportunistic encryption is worthless. It just means that there are threats that purely opportunistic encryption doesn't address; which is no different from the fact that there are threats that required encryption doesn't address.
answered 2 days ago
a CVna CVn
7,0361 gold badge24 silver badges49 bronze badges
The common way to actively attack STARTTLS is not to attack the attempt of an TLS handshake but to claim that the recipient MTA does not support STARTTLS in the first place by modifying the response to the EHLO command and to claim that STARTTLS is not supported when trying. See Why do you see XXXXXXXA after EHLO and "500 #5.5.1 command not recognized" after STARTTLS?. The sender MTA cannot conclude from this an active attack, it can only conclude that recipient MTA does not support STARTTLS.
– Steffen Ullrich
2 days ago
@SteffenUllrich That may be so, but it's still an active attack that requires tampering with the SMTP transaction, basically as it is happening; therefore requiring an adversary capable and willing to do more than passively monitor traffic. The important distinction isn't which method is used to prevent STARTTLS, but rather whether the attack is active or passive in the first place. By definition, downgrade attacks cannot be passive; any downgrade attack has to be an active attack at some level. Beyond that, MTA-STS (once it, hopefully, becomes widely supported) is a decent next step.
– a CVn
yesterday
I agree that it is an active attack and said so in my comment. But contrary to the example in your answer it is an active attack which cannot be detected by the MTA unless it somehow knows already that the peer will support TLS. And that is the point I was trying to make, that it might not be possible to detect that an active attack is going on.
– Steffen Ullrich
yesterday
@SteffenUllrich See edit.
– a CVn
yesterday
1
"Active attacks are much easier to detect than their passive counterparts." - kind of. Another point is that active attacks are not only easier to detect but harder to do in the first place since the attacker not only needs be able to sniff (could be on a mirror port of a router or by using the standardized interception interfaces for law enforcement) but needs to be able to modify the traffic.
– Steffen Ullrich
yesterday
|
show 5 more comments
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f218451%2fwhy-is-starttls-used-when-it-can-be-downgraded-very-easily%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
The problem you describe is not the use of STARTTLS by itself but the optional use of STARTTLS. Mail systems can be setup so that TLS is required in which case the mail will not be delivered if STARTTLS will fail or if the peer does not offer support for STARTTLS in EHLO. Required STARTTLS is is as safe as required TLS from start.
The reason STARTTLS is not mandatory in most setups is because there are still enough systems out there which don't support TLS. The current transparency report from Google shows only 90% of all mails delivered from Google by TLS, which means that 10% of the mails are delivered to an MTA which does not support TLS.
Apart from that even with mandatory TLS the mail is not delivered in a sufficiently secure way. TLS is only used between the various hops during mail delivery and does not provide the end-to-end security which TLS provides in HTTPS. This means every mail server on the path has access to the plain text of the mail and can read and modify it, unless the mail is additionally protected with end-to-end protections like PGP or S/MIME.
answered 2 days ago
Steffen UllrichSteffen Ullrich
131k17 gold badges237 silver badges303 bronze badges
2
"The reason STARTTLS is not mandatory in most setups is because there are still enough systems out there [10%] which don't support TLS." - On the other hand, both Chrome and Firefox have had no problems with 1) marking plain-HTTP website as insecure, 2) blocking broken ciphers and certificates using weak crypto, and 3) dropping untrustworthy Certificate Authorities. I think large e-mail providers could (and perhaps should) definitely make a push for TLS-requires e-mail, if they so desired.
– marcelm
2 days ago
27
@marcelm: The user experience with mail is very different from web. If a web site is insecure the user gets immediate feedback and can decide what to do (like temporarily ignore the warning). With mail the user gets immediate feedback only about delivery to the first hop (usually the MTA for the senders domain). Any delivery problems at the next hops only result in cryptic delivery status notification mails which most users don't really understand - often already because these DSN are in English no matter which language the sender speaks. And the sender has no way to force delivery anyway.
– Steffen Ullrich
2 days ago
7
@marcelm: "Another thing they could do is mark non-TLS-delivered messages in users' inboxes as "delivered insecurely" (much like browser non-HTTPS warnings)" - they can only offer reliable information about the last step of delivery (and gmail is actually doing this) but not about the previous hops (Receivedheader of the mail does not provide such information in a reliable way). "... run some statistics..." - they are doing this and these are linked from my answer. Use of TLS is actually growing as you can see when playing with the dates in the transparency report.
– Steffen Ullrich
2 days ago
3
@marcelm: Gmail for example does mark non-TLS mail delivery as insecure (red broken lock and all).
– grawity
yesterday
2
@SteffenUllrich I got my professional start doing SMTP admin 20 years ago, and I have yet to encounter a DSN that I would describe as "in English"!
– chrylis
yesterday
|
show 1 more comment
The problem you describe is not the use of STARTTLS by itself but the optional use of STARTTLS. Mail systems can be setup so that TLS is required in which case the mail will not be delivered if STARTTLS will fail or if the peer does not offer support for STARTTLS in EHLO. Required STARTTLS is is as safe as required TLS from start.
The reason STARTTLS is not mandatory in most setups is because there are still enough systems out there which don't support TLS. The current transparency report from Google shows only 90% of all mails delivered from Google by TLS, which means that 10% of the mails are delivered to an MTA which does not support TLS.
Apart from that even with mandatory TLS the mail is not delivered in a sufficiently secure way. TLS is only used between the various hops during mail delivery and does not provide the end-to-end security which TLS provides in HTTPS. This means every mail server on the path has access to the plain text of the mail and can read and modify it, unless the mail is additionally protected with end-to-end protections like PGP or S/MIME.
answered 2 days ago
Steffen UllrichSteffen Ullrich
131k17 gold badges237 silver badges303 bronze badges
2
"The reason STARTTLS is not mandatory in most setups is because there are still enough systems out there [10%] which don't support TLS." - On the other hand, both Chrome and Firefox have had no problems with 1) marking plain-HTTP website as insecure, 2) blocking broken ciphers and certificates using weak crypto, and 3) dropping untrustworthy Certificate Authorities. I think large e-mail providers could (and perhaps should) definitely make a push for TLS-requires e-mail, if they so desired.
– marcelm
2 days ago
27
@marcelm: The user experience with mail is very different from web. If a web site is insecure the user gets immediate feedback and can decide what to do (like temporarily ignore the warning). With mail the user gets immediate feedback only about delivery to the first hop (usually the MTA for the senders domain). Any delivery problems at the next hops only result in cryptic delivery status notification mails which most users don't really understand - often already because these DSN are in English no matter which language the sender speaks. And the sender has no way to force delivery anyway.
– Steffen Ullrich
2 days ago
7
@marcelm: "Another thing they could do is mark non-TLS-delivered messages in users' inboxes as "delivered insecurely" (much like browser non-HTTPS warnings)" - they can only offer reliable information about the last step of delivery (and gmail is actually doing this) but not about the previous hops (Receivedheader of the mail does not provide such information in a reliable way). "... run some statistics..." - they are doing this and these are linked from my answer. Use of TLS is actually growing as you can see when playing with the dates in the transparency report.
– Steffen Ullrich
2 days ago
3
@marcelm: Gmail for example does mark non-TLS mail delivery as insecure (red broken lock and all).
– grawity
yesterday
2
@SteffenUllrich I got my professional start doing SMTP admin 20 years ago, and I have yet to encounter a DSN that I would describe as "in English"!
– chrylis
yesterday
|
show 1 more comment
The problem you describe is not the use of STARTTLS by itself but the optional use of STARTTLS. Mail systems can be setup so that TLS is required in which case the mail will not be delivered if STARTTLS will fail or if the peer does not offer support for STARTTLS in EHLO. Required STARTTLS is is as safe as required TLS from start.
The reason STARTTLS is not mandatory in most setups is because there are still enough systems out there which don't support TLS. The current transparency report from Google shows only 90% of all mails delivered from Google by TLS, which means that 10% of the mails are delivered to an MTA which does not support TLS.
Apart from that even with mandatory TLS the mail is not delivered in a sufficiently secure way. TLS is only used between the various hops during mail delivery and does not provide the end-to-end security which TLS provides in HTTPS. This means every mail server on the path has access to the plain text of the mail and can read and modify it, unless the mail is additionally protected with end-to-end protections like PGP or S/MIME.
answered 2 days ago
Steffen UllrichSteffen Ullrich
131k17 gold badges237 silver badges303 bronze badges
The problem you describe is not the use of STARTTLS by itself but the optional use of STARTTLS. Mail systems can be setup so that TLS is required in which case the mail will not be delivered if STARTTLS will fail or if the peer does not offer support for STARTTLS in EHLO. Required STARTTLS is is as safe as required TLS from start.
The reason STARTTLS is not mandatory in most setups is because there are still enough systems out there which don't support TLS. The current transparency report from Google shows only 90% of all mails delivered from Google by TLS, which means that 10% of the mails are delivered to an MTA which does not support TLS.
Apart from that even with mandatory TLS the mail is not delivered in a sufficiently secure way. TLS is only used between the various hops during mail delivery and does not provide the end-to-end security which TLS provides in HTTPS. This means every mail server on the path has access to the plain text of the mail and can read and modify it, unless the mail is additionally protected with end-to-end protections like PGP or S/MIME.
answered 2 days ago
Steffen UllrichSteffen Ullrich
131k17 gold badges237 silver badges303 bronze badges
edited 2 days ago
answered 2 days ago
Steffen UllrichSteffen Ullrich
131k17 gold badges237 silver badges303 bronze badges
answered 2 days ago
Steffen UllrichSteffen Ullrich
131k17 gold badges237 silver badges303 bronze badges
answered 2 days ago
Steffen UllrichSteffen Ullrich
131k17 gold badges237 silver badges303 bronze badges
131k17 gold badges237 silver badges303 bronze badges
2
"The reason STARTTLS is not mandatory in most setups is because there are still enough systems out there [10%] which don't support TLS." - On the other hand, both Chrome and Firefox have had no problems with 1) marking plain-HTTP website as insecure, 2) blocking broken ciphers and certificates using weak crypto, and 3) dropping untrustworthy Certificate Authorities. I think large e-mail providers could (and perhaps should) definitely make a push for TLS-requires e-mail, if they so desired.
– marcelm
2 days ago
27
@marcelm: The user experience with mail is very different from web. If a web site is insecure the user gets immediate feedback and can decide what to do (like temporarily ignore the warning). With mail the user gets immediate feedback only about delivery to the first hop (usually the MTA for the senders domain). Any delivery problems at the next hops only result in cryptic delivery status notification mails which most users don't really understand - often already because these DSN are in English no matter which language the sender speaks. And the sender has no way to force delivery anyway.
– Steffen Ullrich
2 days ago
7
@marcelm: "Another thing they could do is mark non-TLS-delivered messages in users' inboxes as "delivered insecurely" (much like browser non-HTTPS warnings)" - they can only offer reliable information about the last step of delivery (and gmail is actually doing this) but not about the previous hops (Receivedheader of the mail does not provide such information in a reliable way). "... run some statistics..." - they are doing this and these are linked from my answer. Use of TLS is actually growing as you can see when playing with the dates in the transparency report.
– Steffen Ullrich
2 days ago
3
@marcelm: Gmail for example does mark non-TLS mail delivery as insecure (red broken lock and all).
– grawity
yesterday
2
@SteffenUllrich I got my professional start doing SMTP admin 20 years ago, and I have yet to encounter a DSN that I would describe as "in English"!
– chrylis
yesterday
|
show 1 more comment
2
"The reason STARTTLS is not mandatory in most setups is because there are still enough systems out there [10%] which don't support TLS." - On the other hand, both Chrome and Firefox have had no problems with 1) marking plain-HTTP website as insecure, 2) blocking broken ciphers and certificates using weak crypto, and 3) dropping untrustworthy Certificate Authorities. I think large e-mail providers could (and perhaps should) definitely make a push for TLS-requires e-mail, if they so desired.
– marcelm
2 days ago
27
@marcelm: The user experience with mail is very different from web. If a web site is insecure the user gets immediate feedback and can decide what to do (like temporarily ignore the warning). With mail the user gets immediate feedback only about delivery to the first hop (usually the MTA for the senders domain). Any delivery problems at the next hops only result in cryptic delivery status notification mails which most users don't really understand - often already because these DSN are in English no matter which language the sender speaks. And the sender has no way to force delivery anyway.
– Steffen Ullrich
2 days ago
7
@marcelm: "Another thing they could do is mark non-TLS-delivered messages in users' inboxes as "delivered insecurely" (much like browser non-HTTPS warnings)" - they can only offer reliable information about the last step of delivery (and gmail is actually doing this) but not about the previous hops (Receivedheader of the mail does not provide such information in a reliable way). "... run some statistics..." - they are doing this and these are linked from my answer. Use of TLS is actually growing as you can see when playing with the dates in the transparency report.
– Steffen Ullrich
2 days ago
3
@marcelm: Gmail for example does mark non-TLS mail delivery as insecure (red broken lock and all).
– grawity
yesterday
2
@SteffenUllrich I got my professional start doing SMTP admin 20 years ago, and I have yet to encounter a DSN that I would describe as "in English"!
– chrylis
yesterday
2
2
"The reason STARTTLS is not mandatory in most setups is because there are still enough systems out there [10%] which don't support TLS." - On the other hand, both Chrome and Firefox have had no problems with 1) marking plain-HTTP website as insecure, 2) blocking broken ciphers and certificates using weak crypto, and 3) dropping untrustworthy Certificate Authorities. I think large e-mail providers could (and perhaps should) definitely make a push for TLS-requires e-mail, if they so desired.
– marcelm
2 days ago
"The reason STARTTLS is not mandatory in most setups is because there are still enough systems out there [10%] which don't support TLS." - On the other hand, both Chrome and Firefox have had no problems with 1) marking plain-HTTP website as insecure, 2) blocking broken ciphers and certificates using weak crypto, and 3) dropping untrustworthy Certificate Authorities. I think large e-mail providers could (and perhaps should) definitely make a push for TLS-requires e-mail, if they so desired.
– marcelm
2 days ago
27
27
@marcelm: The user experience with mail is very different from web. If a web site is insecure the user gets immediate feedback and can decide what to do (like temporarily ignore the warning). With mail the user gets immediate feedback only about delivery to the first hop (usually the MTA for the senders domain). Any delivery problems at the next hops only result in cryptic delivery status notification mails which most users don't really understand - often already because these DSN are in English no matter which language the sender speaks. And the sender has no way to force delivery anyway.
– Steffen Ullrich
2 days ago
@marcelm: The user experience with mail is very different from web. If a web site is insecure the user gets immediate feedback and can decide what to do (like temporarily ignore the warning). With mail the user gets immediate feedback only about delivery to the first hop (usually the MTA for the senders domain). Any delivery problems at the next hops only result in cryptic delivery status notification mails which most users don't really understand - often already because these DSN are in English no matter which language the sender speaks. And the sender has no way to force delivery anyway.
– Steffen Ullrich
2 days ago
7
7
@marcelm: "Another thing they could do is mark non-TLS-delivered messages in users' inboxes as "delivered insecurely" (much like browser non-HTTPS warnings)" - they can only offer reliable information about the last step of delivery (and gmail is actually doing this) but not about the previous hops (
Received header of the mail does not provide such information in a reliable way). "... run some statistics..." - they are doing this and these are linked from my answer. Use of TLS is actually growing as you can see when playing with the dates in the transparency report.– Steffen Ullrich
2 days ago
@marcelm: "Another thing they could do is mark non-TLS-delivered messages in users' inboxes as "delivered insecurely" (much like browser non-HTTPS warnings)" - they can only offer reliable information about the last step of delivery (and gmail is actually doing this) but not about the previous hops (
Received header of the mail does not provide such information in a reliable way). "... run some statistics..." - they are doing this and these are linked from my answer. Use of TLS is actually growing as you can see when playing with the dates in the transparency report.– Steffen Ullrich
2 days ago
3
3
@marcelm: Gmail for example does mark non-TLS mail delivery as insecure (red broken lock and all).
– grawity
yesterday
@marcelm: Gmail for example does mark non-TLS mail delivery as insecure (red broken lock and all).
– grawity
yesterday
2
2
@SteffenUllrich I got my professional start doing SMTP admin 20 years ago, and I have yet to encounter a DSN that I would describe as "in English"!
– chrylis
yesterday
@SteffenUllrich I got my professional start doing SMTP admin 20 years ago, and I have yet to encounter a DSN that I would describe as "in English"!
– chrylis
yesterday
|
show 1 more comment
Downgrade attacks are active attacks.
Active attacks are much easier to detect, and are typically more difficult to perform, than their passive counterparts.
Opportunistic encryption, such as optional STARTTLS in SMTP, mainly protects against passive surveillance where traffic is undetectably either analyzed while in transit, or stored for later analysis. You are perfectly correct that opportunistic encryption doesn't protect against active attacks. Opportunistic encryption in general simply doesn't try to protect against an attack where the attacker is able and willing to modify the data in transit; that's outside its scope. Similarly, opportunistic STARTTLS doesn't protect against a rogue mail server passing the data on to a third party; that's outside its scope.
At least some SMTP servers (the rather popular Postfix being one of them) can be configured to require TLS when sending (or receiving) mail, either globally or manually on a per-MX basis for outgoing mail. When configured like that, if STARTTLS fails or is unavailable (regardless of the reason why that is the case), the SMTP session can be rejected, based on locally configured policy.
While active attacks certainly do happen, there is good reason to believe that passive traffic monitoring is widespread on today's Internet. Pervasive monitoring is an attack which often can, and certainly should where possible, be mitigated.
Therefore, even if opportunistic encryption does nothing whatsoever to protect against active attackers, it's a win because it prevents passive traffic monitoring and surveillance from learning more than necessary about the data being communicated. The same argument would apply to unauthenticated HTTPS as well, in that even though it wouldn't protect against every attack, it would still be an improvement over communicating entirely in the clear from a communications privacy point of view.
There's a standard, RFC 8461 SMTP MTA Strict Transport Security (MTA-STS), which can be used to specify that mail server traffic for a given domain requires TLS. That standard is still pretty new (the RFC is dated September 2018), so I would expect support for this to be spotty, but again, as long as everything is set up correctly, to publish a MTA-STS policy will, at worst, result in no improvement of communications privacy (because a MTA that does not implement MTA-STS will simply act as if no MTA-STS policy at all was published, while a MTA that does implement MTA-STS correctly will be able to take the published MTA-STS policy into account for policy decisions).
In addition, there is a standards track SMTP extension, REQUIRETLS, which can be used to specify that transport-layer security should be prioritized over message delivery.
Even though downgrade attacks are possible with purely opportunistic encryption, that doesn't mean that purely opportunistic encryption is worthless. It just means that there are threats that purely opportunistic encryption doesn't address; which is no different from the fact that there are threats that required encryption doesn't address.
answered 2 days ago
a CVna CVn
7,0361 gold badge24 silver badges49 bronze badges
The common way to actively attack STARTTLS is not to attack the attempt of an TLS handshake but to claim that the recipient MTA does not support STARTTLS in the first place by modifying the response to the EHLO command and to claim that STARTTLS is not supported when trying. See Why do you see XXXXXXXA after EHLO and "500 #5.5.1 command not recognized" after STARTTLS?. The sender MTA cannot conclude from this an active attack, it can only conclude that recipient MTA does not support STARTTLS.
– Steffen Ullrich
2 days ago
@SteffenUllrich That may be so, but it's still an active attack that requires tampering with the SMTP transaction, basically as it is happening; therefore requiring an adversary capable and willing to do more than passively monitor traffic. The important distinction isn't which method is used to prevent STARTTLS, but rather whether the attack is active or passive in the first place. By definition, downgrade attacks cannot be passive; any downgrade attack has to be an active attack at some level. Beyond that, MTA-STS (once it, hopefully, becomes widely supported) is a decent next step.
– a CVn
yesterday
I agree that it is an active attack and said so in my comment. But contrary to the example in your answer it is an active attack which cannot be detected by the MTA unless it somehow knows already that the peer will support TLS. And that is the point I was trying to make, that it might not be possible to detect that an active attack is going on.
– Steffen Ullrich
yesterday
@SteffenUllrich See edit.
– a CVn
yesterday
1
"Active attacks are much easier to detect than their passive counterparts." - kind of. Another point is that active attacks are not only easier to detect but harder to do in the first place since the attacker not only needs be able to sniff (could be on a mirror port of a router or by using the standardized interception interfaces for law enforcement) but needs to be able to modify the traffic.
– Steffen Ullrich
yesterday
|
show 5 more comments
Downgrade attacks are active attacks.
Active attacks are much easier to detect, and are typically more difficult to perform, than their passive counterparts.
Opportunistic encryption, such as optional STARTTLS in SMTP, mainly protects against passive surveillance where traffic is undetectably either analyzed while in transit, or stored for later analysis. You are perfectly correct that opportunistic encryption doesn't protect against active attacks. Opportunistic encryption in general simply doesn't try to protect against an attack where the attacker is able and willing to modify the data in transit; that's outside its scope. Similarly, opportunistic STARTTLS doesn't protect against a rogue mail server passing the data on to a third party; that's outside its scope.
At least some SMTP servers (the rather popular Postfix being one of them) can be configured to require TLS when sending (or receiving) mail, either globally or manually on a per-MX basis for outgoing mail. When configured like that, if STARTTLS fails or is unavailable (regardless of the reason why that is the case), the SMTP session can be rejected, based on locally configured policy.
While active attacks certainly do happen, there is good reason to believe that passive traffic monitoring is widespread on today's Internet. Pervasive monitoring is an attack which often can, and certainly should where possible, be mitigated.
Therefore, even if opportunistic encryption does nothing whatsoever to protect against active attackers, it's a win because it prevents passive traffic monitoring and surveillance from learning more than necessary about the data being communicated. The same argument would apply to unauthenticated HTTPS as well, in that even though it wouldn't protect against every attack, it would still be an improvement over communicating entirely in the clear from a communications privacy point of view.
There's a standard, RFC 8461 SMTP MTA Strict Transport Security (MTA-STS), which can be used to specify that mail server traffic for a given domain requires TLS. That standard is still pretty new (the RFC is dated September 2018), so I would expect support for this to be spotty, but again, as long as everything is set up correctly, to publish a MTA-STS policy will, at worst, result in no improvement of communications privacy (because a MTA that does not implement MTA-STS will simply act as if no MTA-STS policy at all was published, while a MTA that does implement MTA-STS correctly will be able to take the published MTA-STS policy into account for policy decisions).
In addition, there is a standards track SMTP extension, REQUIRETLS, which can be used to specify that transport-layer security should be prioritized over message delivery.
Even though downgrade attacks are possible with purely opportunistic encryption, that doesn't mean that purely opportunistic encryption is worthless. It just means that there are threats that purely opportunistic encryption doesn't address; which is no different from the fact that there are threats that required encryption doesn't address.
answered 2 days ago
a CVna CVn
7,0361 gold badge24 silver badges49 bronze badges
The common way to actively attack STARTTLS is not to attack the attempt of an TLS handshake but to claim that the recipient MTA does not support STARTTLS in the first place by modifying the response to the EHLO command and to claim that STARTTLS is not supported when trying. See Why do you see XXXXXXXA after EHLO and "500 #5.5.1 command not recognized" after STARTTLS?. The sender MTA cannot conclude from this an active attack, it can only conclude that recipient MTA does not support STARTTLS.
– Steffen Ullrich
2 days ago
@SteffenUllrich That may be so, but it's still an active attack that requires tampering with the SMTP transaction, basically as it is happening; therefore requiring an adversary capable and willing to do more than passively monitor traffic. The important distinction isn't which method is used to prevent STARTTLS, but rather whether the attack is active or passive in the first place. By definition, downgrade attacks cannot be passive; any downgrade attack has to be an active attack at some level. Beyond that, MTA-STS (once it, hopefully, becomes widely supported) is a decent next step.
– a CVn
yesterday
I agree that it is an active attack and said so in my comment. But contrary to the example in your answer it is an active attack which cannot be detected by the MTA unless it somehow knows already that the peer will support TLS. And that is the point I was trying to make, that it might not be possible to detect that an active attack is going on.
– Steffen Ullrich
yesterday
@SteffenUllrich See edit.
– a CVn
yesterday
1
"Active attacks are much easier to detect than their passive counterparts." - kind of. Another point is that active attacks are not only easier to detect but harder to do in the first place since the attacker not only needs be able to sniff (could be on a mirror port of a router or by using the standardized interception interfaces for law enforcement) but needs to be able to modify the traffic.
– Steffen Ullrich
yesterday
|
show 5 more comments
Downgrade attacks are active attacks.
Active attacks are much easier to detect, and are typically more difficult to perform, than their passive counterparts.
Opportunistic encryption, such as optional STARTTLS in SMTP, mainly protects against passive surveillance where traffic is undetectably either analyzed while in transit, or stored for later analysis. You are perfectly correct that opportunistic encryption doesn't protect against active attacks. Opportunistic encryption in general simply doesn't try to protect against an attack where the attacker is able and willing to modify the data in transit; that's outside its scope. Similarly, opportunistic STARTTLS doesn't protect against a rogue mail server passing the data on to a third party; that's outside its scope.
At least some SMTP servers (the rather popular Postfix being one of them) can be configured to require TLS when sending (or receiving) mail, either globally or manually on a per-MX basis for outgoing mail. When configured like that, if STARTTLS fails or is unavailable (regardless of the reason why that is the case), the SMTP session can be rejected, based on locally configured policy.
While active attacks certainly do happen, there is good reason to believe that passive traffic monitoring is widespread on today's Internet. Pervasive monitoring is an attack which often can, and certainly should where possible, be mitigated.
Therefore, even if opportunistic encryption does nothing whatsoever to protect against active attackers, it's a win because it prevents passive traffic monitoring and surveillance from learning more than necessary about the data being communicated. The same argument would apply to unauthenticated HTTPS as well, in that even though it wouldn't protect against every attack, it would still be an improvement over communicating entirely in the clear from a communications privacy point of view.
There's a standard, RFC 8461 SMTP MTA Strict Transport Security (MTA-STS), which can be used to specify that mail server traffic for a given domain requires TLS. That standard is still pretty new (the RFC is dated September 2018), so I would expect support for this to be spotty, but again, as long as everything is set up correctly, to publish a MTA-STS policy will, at worst, result in no improvement of communications privacy (because a MTA that does not implement MTA-STS will simply act as if no MTA-STS policy at all was published, while a MTA that does implement MTA-STS correctly will be able to take the published MTA-STS policy into account for policy decisions).
In addition, there is a standards track SMTP extension, REQUIRETLS, which can be used to specify that transport-layer security should be prioritized over message delivery.
Even though downgrade attacks are possible with purely opportunistic encryption, that doesn't mean that purely opportunistic encryption is worthless. It just means that there are threats that purely opportunistic encryption doesn't address; which is no different from the fact that there are threats that required encryption doesn't address.
answered 2 days ago
a CVna CVn
7,0361 gold badge24 silver badges49 bronze badges
Downgrade attacks are active attacks.
Active attacks are much easier to detect, and are typically more difficult to perform, than their passive counterparts.
Opportunistic encryption, such as optional STARTTLS in SMTP, mainly protects against passive surveillance where traffic is undetectably either analyzed while in transit, or stored for later analysis. You are perfectly correct that opportunistic encryption doesn't protect against active attacks. Opportunistic encryption in general simply doesn't try to protect against an attack where the attacker is able and willing to modify the data in transit; that's outside its scope. Similarly, opportunistic STARTTLS doesn't protect against a rogue mail server passing the data on to a third party; that's outside its scope.
At least some SMTP servers (the rather popular Postfix being one of them) can be configured to require TLS when sending (or receiving) mail, either globally or manually on a per-MX basis for outgoing mail. When configured like that, if STARTTLS fails or is unavailable (regardless of the reason why that is the case), the SMTP session can be rejected, based on locally configured policy.
While active attacks certainly do happen, there is good reason to believe that passive traffic monitoring is widespread on today's Internet. Pervasive monitoring is an attack which often can, and certainly should where possible, be mitigated.
Therefore, even if opportunistic encryption does nothing whatsoever to protect against active attackers, it's a win because it prevents passive traffic monitoring and surveillance from learning more than necessary about the data being communicated. The same argument would apply to unauthenticated HTTPS as well, in that even though it wouldn't protect against every attack, it would still be an improvement over communicating entirely in the clear from a communications privacy point of view.
There's a standard, RFC 8461 SMTP MTA Strict Transport Security (MTA-STS), which can be used to specify that mail server traffic for a given domain requires TLS. That standard is still pretty new (the RFC is dated September 2018), so I would expect support for this to be spotty, but again, as long as everything is set up correctly, to publish a MTA-STS policy will, at worst, result in no improvement of communications privacy (because a MTA that does not implement MTA-STS will simply act as if no MTA-STS policy at all was published, while a MTA that does implement MTA-STS correctly will be able to take the published MTA-STS policy into account for policy decisions).
In addition, there is a standards track SMTP extension, REQUIRETLS, which can be used to specify that transport-layer security should be prioritized over message delivery.
Even though downgrade attacks are possible with purely opportunistic encryption, that doesn't mean that purely opportunistic encryption is worthless. It just means that there are threats that purely opportunistic encryption doesn't address; which is no different from the fact that there are threats that required encryption doesn't address.
answered 2 days ago
a CVna CVn
7,0361 gold badge24 silver badges49 bronze badges
edited 8 hours ago
answered 2 days ago
a CVna CVn
7,0361 gold badge24 silver badges49 bronze badges
answered 2 days ago
a CVna CVn
7,0361 gold badge24 silver badges49 bronze badges
answered 2 days ago
a CVna CVn
7,0361 gold badge24 silver badges49 bronze badges
7,0361 gold badge24 silver badges49 bronze badges
The common way to actively attack STARTTLS is not to attack the attempt of an TLS handshake but to claim that the recipient MTA does not support STARTTLS in the first place by modifying the response to the EHLO command and to claim that STARTTLS is not supported when trying. See Why do you see XXXXXXXA after EHLO and "500 #5.5.1 command not recognized" after STARTTLS?. The sender MTA cannot conclude from this an active attack, it can only conclude that recipient MTA does not support STARTTLS.
– Steffen Ullrich
2 days ago
@SteffenUllrich That may be so, but it's still an active attack that requires tampering with the SMTP transaction, basically as it is happening; therefore requiring an adversary capable and willing to do more than passively monitor traffic. The important distinction isn't which method is used to prevent STARTTLS, but rather whether the attack is active or passive in the first place. By definition, downgrade attacks cannot be passive; any downgrade attack has to be an active attack at some level. Beyond that, MTA-STS (once it, hopefully, becomes widely supported) is a decent next step.
– a CVn
yesterday
I agree that it is an active attack and said so in my comment. But contrary to the example in your answer it is an active attack which cannot be detected by the MTA unless it somehow knows already that the peer will support TLS. And that is the point I was trying to make, that it might not be possible to detect that an active attack is going on.
– Steffen Ullrich
yesterday
@SteffenUllrich See edit.
– a CVn
yesterday
1
"Active attacks are much easier to detect than their passive counterparts." - kind of. Another point is that active attacks are not only easier to detect but harder to do in the first place since the attacker not only needs be able to sniff (could be on a mirror port of a router or by using the standardized interception interfaces for law enforcement) but needs to be able to modify the traffic.
– Steffen Ullrich
yesterday
|
show 5 more comments
The common way to actively attack STARTTLS is not to attack the attempt of an TLS handshake but to claim that the recipient MTA does not support STARTTLS in the first place by modifying the response to the EHLO command and to claim that STARTTLS is not supported when trying. See Why do you see XXXXXXXA after EHLO and "500 #5.5.1 command not recognized" after STARTTLS?. The sender MTA cannot conclude from this an active attack, it can only conclude that recipient MTA does not support STARTTLS.
– Steffen Ullrich
2 days ago
@SteffenUllrich That may be so, but it's still an active attack that requires tampering with the SMTP transaction, basically as it is happening; therefore requiring an adversary capable and willing to do more than passively monitor traffic. The important distinction isn't which method is used to prevent STARTTLS, but rather whether the attack is active or passive in the first place. By definition, downgrade attacks cannot be passive; any downgrade attack has to be an active attack at some level. Beyond that, MTA-STS (once it, hopefully, becomes widely supported) is a decent next step.
– a CVn
yesterday
I agree that it is an active attack and said so in my comment. But contrary to the example in your answer it is an active attack which cannot be detected by the MTA unless it somehow knows already that the peer will support TLS. And that is the point I was trying to make, that it might not be possible to detect that an active attack is going on.
– Steffen Ullrich
yesterday
@SteffenUllrich See edit.
– a CVn
yesterday
1
"Active attacks are much easier to detect than their passive counterparts." - kind of. Another point is that active attacks are not only easier to detect but harder to do in the first place since the attacker not only needs be able to sniff (could be on a mirror port of a router or by using the standardized interception interfaces for law enforcement) but needs to be able to modify the traffic.
– Steffen Ullrich
yesterday
The common way to actively attack STARTTLS is not to attack the attempt of an TLS handshake but to claim that the recipient MTA does not support STARTTLS in the first place by modifying the response to the EHLO command and to claim that STARTTLS is not supported when trying. See Why do you see XXXXXXXA after EHLO and "500 #5.5.1 command not recognized" after STARTTLS?. The sender MTA cannot conclude from this an active attack, it can only conclude that recipient MTA does not support STARTTLS.
– Steffen Ullrich
2 days ago
The common way to actively attack STARTTLS is not to attack the attempt of an TLS handshake but to claim that the recipient MTA does not support STARTTLS in the first place by modifying the response to the EHLO command and to claim that STARTTLS is not supported when trying. See Why do you see XXXXXXXA after EHLO and "500 #5.5.1 command not recognized" after STARTTLS?. The sender MTA cannot conclude from this an active attack, it can only conclude that recipient MTA does not support STARTTLS.
– Steffen Ullrich
2 days ago
@SteffenUllrich That may be so, but it's still an active attack that requires tampering with the SMTP transaction, basically as it is happening; therefore requiring an adversary capable and willing to do more than passively monitor traffic. The important distinction isn't which method is used to prevent STARTTLS, but rather whether the attack is active or passive in the first place. By definition, downgrade attacks cannot be passive; any downgrade attack has to be an active attack at some level. Beyond that, MTA-STS (once it, hopefully, becomes widely supported) is a decent next step.
– a CVn
yesterday
@SteffenUllrich That may be so, but it's still an active attack that requires tampering with the SMTP transaction, basically as it is happening; therefore requiring an adversary capable and willing to do more than passively monitor traffic. The important distinction isn't which method is used to prevent STARTTLS, but rather whether the attack is active or passive in the first place. By definition, downgrade attacks cannot be passive; any downgrade attack has to be an active attack at some level. Beyond that, MTA-STS (once it, hopefully, becomes widely supported) is a decent next step.
– a CVn
yesterday
I agree that it is an active attack and said so in my comment. But contrary to the example in your answer it is an active attack which cannot be detected by the MTA unless it somehow knows already that the peer will support TLS. And that is the point I was trying to make, that it might not be possible to detect that an active attack is going on.
– Steffen Ullrich
yesterday
I agree that it is an active attack and said so in my comment. But contrary to the example in your answer it is an active attack which cannot be detected by the MTA unless it somehow knows already that the peer will support TLS. And that is the point I was trying to make, that it might not be possible to detect that an active attack is going on.
– Steffen Ullrich
yesterday
@SteffenUllrich See edit.
– a CVn
yesterday
@SteffenUllrich See edit.
– a CVn
yesterday
1
1
"Active attacks are much easier to detect than their passive counterparts." - kind of. Another point is that active attacks are not only easier to detect but harder to do in the first place since the attacker not only needs be able to sniff (could be on a mirror port of a router or by using the standardized interception interfaces for law enforcement) but needs to be able to modify the traffic.
– Steffen Ullrich
yesterday
"Active attacks are much easier to detect than their passive counterparts." - kind of. Another point is that active attacks are not only easier to detect but harder to do in the first place since the attacker not only needs be able to sniff (could be on a mirror port of a router or by using the standardized interception interfaces for law enforcement) but needs to be able to modify the traffic.
– Steffen Ullrich
yesterday
|
show 5 more comments
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f218451%2fwhy-is-starttls-used-when-it-can-be-downgraded-very-easily%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Incidentally, the server speaking SSLv3 is not the primary issue. I've heard reasonable reports the downgrade can still happen if the client supports SSLv3 even if the server doesn't. In any case, if the client refuses to support SSLv3 the attack simply can't happen.
– Joshua
16 hours ago
I think the title could be improved to something like: "Why is STARTTLS used when it can be downgraded very easily?" What do you think, AndreKR, does that still reflect your question correctly? The current title sounds like starttls is outdated or deprecated and even had me confused for a minute.
– Luc
10 hours ago
@Luc Yes, that works too, changed it. What I actually meant is more like "Why is STARTTLS used and SSLv3 is not when both can be made insecure by downgrading?"
– AndreKR
18 mins ago