[Cryptography] Facebook on the state of STARTTLS
Viktor Dukhovni
cryptography at dukhovni.org
Tue May 20 18:34:18 EDT 2014
On Tue, May 20, 2014 at 05:17:30PM -0400, Salz, Rich wrote:
> > I wouldn't say "futile," but I would say that there are some challenges.
>
> I think many people are missing the point.
>
> By default, SMTP traffic is unauthenticated cleartext. You have
> no idea who is at the other end and anyone can sniff the packets
> along the way. With STARTTLS, traffic is unauthenticated ciphertext.
> You have no idea who is at the other end, but only the endpoint
> (or those who compromised it) can see the content. Many people
> consider that progress, even though it is still unauthenticated.
Yes, that's the short version. The long version in the DANE draft
explains why we can't really do much better without DNSSEC+DANE
even if we wanted to.
Note, that here too we have some "mile-high pole" security. With
or without DANE, STARTTLS only protects email transport (the part
of the problem we know how to solve), and deliberately neglects
the question of end-to-end security.
The end-to-end security problem for email is rather non-trivial,
because in most cases people expect their anti-virus/anti-spam
outsourced provider to scan the message content for malware or
spam, in regulated industries employers may be required to archive
cleartext of email, ... and of course we still have not demonstrated
usable human to human internet-scale key management.
So STARTTLS (opportunistic TLS and/or opportunistic DANE TLS) is
only a passive monitoring counter-measure (hardened against MiTM,
but not end-point, attacks with DANE), which paradoxically can only
succeed *because* you don't know it is there (and thus can't signal
a requirement for it, or know it happened).
The fact that STARTTLS is opportunistic and does not require any
bilateral coordination between sending and receiving parties or
user signalling, ... makes it possible to incrementally deploy it
at scale without anybody noticing that it is even happening.
I bet that a lot of folks were rather surprised by the magnitude
of the Facebook reported percentage of TLS encrypted transport.
The deployment of opportunistic STARTTLS for SMTP happened quietly
one domain at a time, without email users having to do anything to
turn it on (of course server operators had to enable use of STARTTLS
as a default).
So you can have ubiquitous opportunistic encryption that is deployed
transparently, but its use or non-use is opaque to users, or you
can have visibly strong mandatory encryption. Getting ubiquitous
strong encryption that you can enforce/audit is rather more
challenging.
--
Viktor.
More information about the cryptography
mailing list