[Cryptography] ISPs caught in STARTTLS downgrade attacks

Bear bear at sonic.net
Thu Nov 13 14:01:21 EST 2014

End-to-end email encryption solutions such as PGP do not 
protect crucial elements in the headers.  STARTTLS was supposed 
to do so but can only be run by the parties that run the mail 
servers.  Since most correspondents rely on mail servers operated
by their ISP's (and most ISP's block customer mail servers as
non-negotiable policy in order to limit spam sending) STARTTLS 
was never practical for end-to-end use. The plaintext of STARTTLS 
email is normally visible to the sender's ISP and receiver's 

Unfortunately, the ISPs do not risk substantial losses from 
failures of STARTTLS and can subvert or fail to implement it 
in ways not immediately visible to those who do. Predictably 
some have therefore been subverting or failing to implement 


Sigh.  One more round of "Internet Mail, Privacy Fail."

I'm increasingly of the opinion that there is no protocol 
that can be derived from SMTP and compatible with it that 
can provide the practical privacy of a paper letter in a 
paper envelope.


More information about the cryptography mailing list