In non-startling news, EFF says STARTTLS email crypto is mostly done wrong

Having successfully pushed for universal HTTPS Web encryption, the Electronic Frontier Foundation's next protocol push is for “STARTTLS Everywhere”.

It's testament to system administrator inertia that a protocol first published in 2002 and available in all major e-mail clients and servers is still not everybody's default.

By the standards of Internet RFCs, STARTTLS is neither particularly complex, nor in the least bit daunting – Paul Hoffman's RFC 3207 (which replaced his earlier proposal written in 1999) runs to a mere 2,500 words (Hoffman's usage example has just 17 steps).

The combination of relative simplicity, and the wake-up call of Edward Snowden's revelations, means availability of STARTTLS is high. With the EFF citing Google data that 89 per cent of outbound e-mails are already encrypted, why would a campaign be necessary?

The answer, according to the EFF, is that there remain gaps in STARTTLS implementation.

The big one, the foundation says, is certificate checking, with too many message transfer agents (MTAs) either not checking the certificates other MTAs present, or accepting self-signed certificates.

It's a familiar, circular scenario: nobody checks certificates before passing messages, because there's a high chance of failure, because so many people can't present a valid certificate.

The other issue highlighted by the EFF is that STARTTLS leaves open an opportunity for a person-in-the-middle to execute a downgrade attack. The protocol's first negotiation is unencrypted (and unauthenticated), so the PITM could substitute messages into the negotiation pretending to each end that they don't support STARTTLS.

The risk of downgrade attacks prompted Google to propose warning Gmail users when encryption is absent.

In 2016, the Internet Engineering Task Force put forward its own proposal, an attempt to standardise part of what the EFF wants. Known as SMTP Strict Transport Security, it proposed using the existing certificate authority infrastructure to avoid interception. That proposal is still under very active development, and earlier this month, the 21^st draft of a standard for deploying STS in message transfer agents (MTA-STS) was published.

The EFF is critical of MTS-STS, however, and wrote: “since most DNS requests are still unauthenticated (see the section on DANE above), an active attacker can still man-in-the-middle the initial DNS request and convince the sender that the recipient doesn’t support MTA-STS”.

The EFF's campaign is threefold: improve STARTTLS adoption; prevent downgrade attacks; and work on proposals to make it easier to run a secure mailserver.

To support STARTTLS adoption, the organisation is developing versions of its existing Certbot plugin to work with MTAs (Certbot was originally created to help Web admins deploy HTTPS). It has a plugin available now for Postfix, and plugins for Dovecot and Sendmail are under development.

To prevent downgrade attacks, the EFF has created a list of mailservers known to support STARTTLS to make it easier for sysadmins to detect attackers trying to pretend that mail.example.com doesn't support the protocol. Sysadmins can request their domains be added to that list, so long as they provide suitable validation information.

The foundation's “simplify running a secure mailserver” effort is currently at the brainstorming stage, and the EFF is soliciting suggestions. ®