Internet companies want to improve email security via smtp




Several companies, including Google, Yahoo and LinkedIn, have sent a proposal to the Internet Engineering Task Force to improve the security of e-mail. They propose an alternative to the inadequate starttls protocol extension.

In the proposal , several problems with the current email traffic brought to attention. Which expires at the moment namely via the SMTP protocol in 1981 that senders not authenticates and encrypts messages nor default. This is evident from an examination of Google and two US universities. Later there are security features added to the Protocol as starttls, SPF, DKIM, and DMARC.

The implementation of this protocol extensions is done according to the researchers entirely on a voluntary basis, leading to a “patchwork of security measures. ‘ One of the findings of that study was that of the 700,000 SMTP servers, which are related to the popular 1 million websites according to Alexa, 82 percent TLS support and only 35 percent configured correctly is to support server authentication. Google announces itself that 83 percent of output and 69 percent of incoming Gmail messages are encrypted.

The proposal, which comes from Google, Comcast, LinkedIn, Yahoo, Microsoft and 1 & 1 Mail & Media Development, focuses on the shortcomings of the starttls introduced in 2002. It works by bringing an SMTP connection to a server and then the starttls command to initiate an encrypted TLS connection through a handshaking. A server but it does not authenticated, and if there is no starttls support is present, the message is sent unencrypted.

In those two facts are the authors of the proposal, which the shortcomings of the system. So an attacker via a downgrade -aanval can remove the starttls portion of an SMTP session, so the communication is unencrypted, while both parties might support TLS. In addition, an attacker by the lack of authentication can present themselves as the server of the recipient, for instance by the DNS MX record to spoof.

The solution is, according to the petitioners in a new system, called STS ie smtp smtp strict transport security. That should allow indicating a domain in advance or MTA , such as a mail server supports TLS and how security is handled. Thereby for example to prevent a downgrade attack can be.

It should also smtp STS ensure that a server can be authenticated. Finally, it is also possible to establish a policy for when there is no TLS connection can not be established. The proposal expresses the preference in that case to consider sending the mail as failure. There is provided an opportunity to report such incidents.

A reference implementation of SMTP STS is available on GitHub. This is maintained by two employees of 1 & 1 Mail & Media Development who were involved in the proposal.


In: A Technology & Gadgets Asked By: [23633 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »