SSL/TLS and port 587
Steven M. Bellovin
smb at cs.columbia.edu
Tue Jan 22 23:21:29 EST 2008
On Tue, 22 Jan 2008 10:38:24 -0800
Ed Gerck <edgerck at nma.com> wrote:
> List,
>
> I would like to address and request comments on the use of SSL/TLS
> and port 587 for email security.
>
> The often expressed idea that SSL/TLS and port 587 are somehow able
> to prevent warrantless wiretapping and so on, or protect any private
> communications, is IMO simply not supported by facts.
>
> Warrantless wiretapping and so on, and private communications
> eavesdropping are done more efficiently and covertly directly at the
> ISPs (hence the name "warrantless wiretapping"), where SSL/TLS
> protection does NOT apply. There is a security gap at every
> negotiated SSL/TLS session.
>
> It is misleading to claim that port 587 solves the security problem
> of email eavesdropping, and gives people a false sense of security.
> It is worse than using a 56-bit DES key -- the email is in plaintext
> where it is most vulnerable.
>
This is old news. But what's your threat model?
Clearly, hop-by-hop encryption, be it port 587 to your ISP's submission
server or pop3s/imaps by the recipient to his/her mail server does
nothing to protect against someone who has hacked the server. I wrote
about that years ago; see
http://www.cs.columbia.edu/~smb/securemail.html (which archive.org
dates to April 1999, under my old AT&T URL), and I don't claim the
insight was novel even then. Port 587 was defined in RFC 2476, from
1998; it specifically talks about the need for encryption. SMTP-AUTH is
defined in RFC 2487 (Jan 1999 -- again, before my page), which
specifically warns that TLS protection of the channel isn't sufficient
against some threats. (Aside: my page was prompted by someone on a
sensitive internal project who asked if he should encrypt his email.
After poking around a bit, I used xmessage to pop up a message on his
screen saying that there wasn't much point to encryption unless he
cleaned up a lot of other security issues...) But note that the logic
applies about as well to end-to-end encryption, if your attacker can
hack the machine at either end. By hack I specifically include "black
bag jobs" to plant a keystroke logger or the like.
So -- is encryption, whether hop-by-hop or end-to-end, useless? No, of
course not. Encrypting email submission or retrieval is very useful if
you use, say, wireless hotspots. (Caveats and cautions here are left
as an exercise for the reader.) End-to-end encryption guards against
rogue administrators of mail servers. Neither protects against all
threats -- but both have their uses.
"Amateurs talk about algorithms; pros talk about economics."
--Steve Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list