31 Aug 2021
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Maintained by Hanno Böck.
A paper published at the USENIX security conference showed a large number of vulnerabilities in STARTTLS implementations. The author of this newsletter participated in this research.
STARTTLS is a mechanism that allows upgrading plaintext protocol connections to TLS. The research focused on STARTTLS in the communication between email clients and servers (SMTP, IMAP, POP3). It turns out this upgrading mechanism is fragile and can lead to a number of security problems.
In 2011, Postfix developer Wietse Venema discovered that when sending additional content together with the STARTTLS-initiating command in the same TCP packet, many servers would interpret this as part of the encrypted connection even though it was plaintext and could thus be injected by a man-in-the-middle attacker.
What we found is that this vulnerability was still quite prevalent and affected many servers. Our research also described how to exploit this vulnerability practically to steal login credentials via a vulnerable SMTP or IMAP server.
We also discovered that a very similar vulnerability exists on many email clients, including popular clients like Mozilla Thunderbird and Apple Mail. While less severe than the server-side vulnerability, this flaw allows forging mailbox content.
An incompatibility between an IMAP feature and STARTTLS also poses a security risk. An IMAP server can signal to a client directly after the initial connection that it is already authenticated and does not need to send credentials via the PREAUTH answer. But in an authenticated state, it is not allowed to send a STARTTLS command. By sending a PREAUTH answer, a man-in-the-middle attacker can thus prevent a connection upgrade from happening.
This PREAUTH vulnerability was originally found in 2014 in a mail client called Trojitá, but we learned that it affected many popular mail clients, including Apple Mail and Mozilla Thunderbird.
These vulnerabilities illustrate that implementing STARTTLS correctly is challenging. We therefore recommend avoiding STARTTLS when possible and ideally deprecating it in the long term, at least for client-to-server communication. This recommendation is in line with RFC 8314, which already recommends preferring implicit TLS on its own ports over STARTTLS.
For server-to-server connections, avoiding STARTTLS is currently not possible because no mechanism to use implicit TLS directly is specified.
This subscription is just for the newsletter; we won't send you anything else.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof SSL and TLS, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 1,500 students who have benefited from more than a decade of deep TLS and PKI expertise.