Google, Microsoft, Yahoo: We want to stop email snooping by fixing these encryption flaws
March 22, 2016
Shah Sheikh (1294 articles)

Google, Microsoft, Yahoo: We want to stop email snooping by fixing these encryption flaws

Web giants are collaborating to fix some of the problems that expose STARTTLS to attacks that downgrade encrypted connections to insecure ones.

Amazon, Facebook, Google, Microsoft, Yahoo, and others have all started supportingSTARTTLS, an extension that can upgrade plain text connections on the Simple Mail Transfer Protocol (SMTP) to encrypted ones.

But according to recent research, contributed to by Google, one of the problems with this “opportunistic encryption” enabled by STARTTLS is that the system “favors failing open”, which means that even if something isn’t right, the email will still be sent unencrypted, also known as ‘in the clear’.

The design is meant to encourage adoption of STARTTLS. However, the research highlights that attackers are easily able to use network devices to force a downgrade to non-encrypted channels.

In Tunisia, for example, the researchers found that 96 percent of email sent from the nation to Gmail is sent in the clear.

Now Google, Yahoo, Comcast, Microsoft, LinkedIn, and 1&1 Mail & Media Development and Technology are seeking to fix this problem in an IETF proposal called SMTP Strict Transport Security.

The other issue it seeks to resolve relates to questions about the authenticity of the Message Transfer Agent (MTA) server.

One of the measures the proposal introduces is the ability to stop delivering a message if it can’t be delivered securely, which it proposes through SMTP STS policy records that allow a sending service to check a recipient’s policy before sending an email.

“SMTP STS is a mechanism enabling mail service providers to declare their ability to receive TLS-secured connections, to declare particular methods for certificate validation, and to request sending SMTP servers to report upon and/or refuse to deliver messages that cannot be delivered securely,” the draft proposal reads.

The IETF draft was submitted by the web firms on Friday and expires on September 19.

Source | ZDNET