[Cryptography] ISPs caught in STARTTLS downgrade attacks

Viktor Dukhovni cryptography at dukhovni.org
Fri Nov 14 00:24:03 EST 2014

On Thu, Nov 13, 2014 at 11:01:21AM -0800, Bear wrote:

> Unfortunately, the ISPs do not risk substantial losses from 
> failures of STARTTLS and can subvert or fail to implement it 
> in ways not immediately visible to those who do. Predictably 
> some have therefore been subverting or failing to implement 
> it.
> https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks

Storm in a teacup.  These are anti-spam measures to filter botnet
outbound direct-to-mx traffic.  This is not a conspiracy to spy on
your mail, and does not apply to the vast majority of MTA to MTA

And the reported practice is by means universal, time warner cable
in new york certainly does neither suppresses nor MITMs STARTTLS
from my home network (DANE TLSA records work just fine for the
domains that publish them).

As for SMTP being the problem, that's just ignorance.  Most security
difficulties with email are a consequence of requirements, not

   * Allow total strangers to communicate.
   * Allow asynchronous communication.
   * Allow mail to be delivered to multiple recipients.
   * Allow forwarding via mailing lists, virtual mailboxes, ...

By the time you've built something with the flexibility and
universality of SMTP, you have SMTP's problems.

As for S/MIME headers in the clear, that a feature, and the problem
is with MUA S/MIME support not SMTP.  S/MIME can encapsulate complete
mesages, with a "vanilla" header in the outer message.  Server side
searching, sorting, ... becomes difficult.

I think very few people would likely want to use end-to-end encrypted
mail, even if all the key-management usability issues were addressed
and it became easy to send encrypted mail and read a given encrypted
message.  Subtantial problems remain:

    * Lose your key, lose all your mail.
    * Substantially reduced server-side spam filtering.
    * No server-side search.
    ... and many more ..

For better or for worse, securing the transport is by far the more
tractable problem, and this does not hobble usability.


More information about the cryptography mailing list