[Cryptography] ISPs caught in STARTTLS downgrade attacks

Andreas Junius andreas.junius at gmail.com
Thu Nov 13 16:17:53 EST 2014

On 14/11/14 05:31, Bear wrote:
> End-to-end email encryption solutions such as PGP do not
> protect crucial elements in the headers.  STARTTLS was supposed
> to do so but can only be run by the parties that run the mail
> servers.  Since most correspondents rely on mail servers operated
> by their ISP's (and most ISP's block customer mail servers as
> non-negotiable policy in order to limit spam sending) STARTTLS
> was never practical for end-to-end use. The plaintext of STARTTLS
> email is normally visible to the sender's ISP and receiver's
> ISP.
> Unfortunately, the ISPs do not risk substantial losses from
> failures of STARTTLS and can subvert or fail to implement it
> in ways not immediately visible to those who do. Predictably
> some have therefore been subverting or failing to implement
> it.
> https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks
> Sigh.  One more round of "Internet Mail, Privacy Fail."
> I'm increasingly of the opinion that there is no protocol
> that can be derived from SMTP and compatible with it that
> can provide the practical privacy of a paper letter in a
> paper envelope.
> 				Bear

SMTP is a rather old protocol with a clear emphasis on research; 
therefore all those headers that get extended on every intermediate hop. 
The requirements for a message transport protocol were very different at 
the time from what we need nowadays.
I agree that SMTP can't be fixed, because the old requirements are 
contradicting the new ones. The darkmail alliance guys think the same 
and they are designing something based on xmpp if I got it right.
I personally think, that's not the way to go. Companies might have 
trouble to manage another port and protocol and an intelligence agency 
has a clear target to tap on communication. I try therefore a solution 
that uses REST via https: http://www.peemail.org/home/projects/pee/
It uses end-to-end encryption for all parts of the message and 
additional encryption for client server communication. The advantage is 
that there is no difference between, e.g. online banking or sending 
messages. It's still not finished but it looks promising so far.


More information about the cryptography mailing list