[liberationtech] The status of SMTP security in email communication infrastructures

Tue Sep 3 05:50:24 PDT 2013

Just sending along some links on the topic (from another thread).

- I initially put this
chart<https://twitter.com/ashk4n/status/350276220006563841> together
(which Declan based this story
on<http://news.cnet.com/8301-13578_3-57590389-38/how-web-mail-providers-leave-door-open-for-nsa-surveillance/>)
showing the top 4 email providers don't really support TLS (either invalid
certs or no TLS altogether)

- I also did a quick followup showing that, while Microsoft/Yahoo don't
support TLS for their webmail, they do for their own corporate
mail<https://twitter.com/ashk4n/status/351165153401794560/photo/1>
.

- One industry report I found indicates that "Thirty-nine percent of
respondents already use email encryption beyond Transport Layer Security
(TLS), while another 25% plan on adopting it in the next 24 months."

- Additionally, I've been told by the OTA that "Gateway-to-gateway TLS has
been widely deployed across financial services starting in about 2005. Most
large banks have TLS turned on opportunistically (try TLS first, then send
plain text) for all mail and they also have a list of domains for which
they will only send TLS (if can't negotiate TLS then no send email to that
domain)."

Would love to see more follow-on work on this topic.  I think even getting
webmail providers to use invalid certificates is a step forward as it moves
the attack from passive to active (i.e you can detect a mitm certificate)
-a

On Mon, Aug 26, 2013 at 4:52 AM, Fabio Pietrosanti (naif) <
lists at infosecurity.ch> wrote:

>  Hi all,
>
> following the talk of Eleanor Saitta at Noisy2 (
> https://noisysquare.com/ethics-and-power-in-the-long-war-eleanor-saitta-dymaxion/),
> some private discussion with Moritz Blatz and some discussion with
> activists of autistici regarding the effective privacy of security-enhanced
> email services, i realized that we does not have an objective vision of
> which is the status of of security in SMTP email exchange (between SMTP
> servers).
>
> We need to answer several question from several perspectives in order to
> evaluate, for a later improvement, which is the link-level-security of
> email transport between SMTP servers on the internet.
>
> *From an internet architecture perspective:*
> * "Which is the status of security in SMTP email exchange on the
> internet?" .
> * From the top-30 global email provider and from the top-10 of each major
> country:
>   - which of them offer SMTP/TLS when sending email?
>   - which of them accept SMTP/TLS when receiving email?
>
> With those data the ISPs could be challenged to introduce some better
> link-level-security .
>
> *From a software perspective:*
> * Which of the 10 most used SMTP software in the world (commercial and
> opensource):
>   - do offer by default SMTP/TLS when sending email?
>   - do accept by default SMTP/TLS when receiving email?
>
> With those data the software vendor could be challenged to improve the
> "default" of link-level-security, introducing a default-opportunistic
> encryption.
>
> *From an analysis perspective:*
> * Which of the major email log analysis platform support:
>   - Analyzing which of the remote SMTP server we send email to, or receive
> email from do support SMTP/TLS, which do not support, which support
> partially and/or give specific errors
> * Which kind of massive-scale-analysis could be approached (internet-wide
> scanning) to map the status of email security?
> * Which of them support also TLS compression and SMTP PIPELINING (making
> it more difficult to carry on timing correlation attacks to SMTP traffic) ?
>
> With those data we could effectively enable centralized / diffused
> collection of data regarding the "current status" of the internet with the
> regards of this email security issues.
>
> *From a proactive perspective:*
> * How could we implement a set of standard measure to improve the amount
> of servers supporting SMTP/TLS?
>
> One idea here would be to have an email server that does only SMTP/TLS for
> inbound and outbound communications and that automatically send abuse-alike
> emails to email/domain/IP owners communicating them of a "URGENT Security
> Problem".
>
> Another idea would be to make a "hall of shame" of all non-security SMTP
> provider and/or to aggregate all of them to a DNS-list in order to have a
> "Secure by default, but with some exception" SMTP/TLS exchange.
> Others for sure exists.
>
>
> As Eleanor Saitta underlined, improving the security of SMTP email
> exchange over the internet, would greatly challenge massive wiretapping
> programs for what's related to email interception, by attacking the
> cost/benefit that those carry on.
>
> Anyone willing to work on that kind of issues from a global internet
> perspective, requiring a lot of work in a lot of different areas, would be
> my personal heroes for 2014!
>
> --
> Fabio Pietrosanti (naif)
> HERMES - Center for Transparency and Digital Human Rightshttp://logioshermes.org - http://globaleaks.org - http://tor2web.org
>
>
> --
> Liberationtech is a public list whose archives are searchable on Google.
> Violations of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130903/309fe2c7/attachment.html>