[Cryptography] Debunking the "SMTP TLS "s a mess" myth.
Viktor Dukhovni
cryptography at dukhovni.org
Mon Oct 3 14:02:49 EDT 2016
On Mon, Oct 03, 2016 at 11:50:34AM +0100, Ben Laurie wrote:
> On 3 October 2016 at 08:31, Stephen Farrell <stephen.farrell at cs.tcd.ie> wrote:
>
> > DANE's another attempt to improve things which may find a niche
> > where it does help. (SMTP/TLS in particular, but who knows maybe
> > back in the web later if something like [1] gets traction.)
>
> SMTP/TLS is definitely a mess!
Actually, it is rather a success. The fraction of SMTP traffic
that's encrypted in transit (between organizations over the public
Internet) may be larger than the corresponding metric for HTTP.
https://www.google.com/transparencyreport/saferemail/
(TL;DR as observed by Gmail, varying by weekday, 84-87% outbound,
76--80% inbound). Opportunistic TLS does a rather decent job of
defending most traffic against passive wiretap.
Yes, protection against active attacks is also desirable, hence
the interest in DANE and STS. Today, there are at least (limited
by the extent to which I've been able to find them):
~2200 distinct DANE-validated MX host certificates, serving
~60700 DANE-enabled domains, of which enough volume is sent by
~76 to have appeared in the above Gmail transparency report
Of the 60700 domains, ~700 have DNS for some, but not all of their
MX hosts, so their DANE deployment is a work-in-progress. A year
ago the domain count was around 12000 and the intersection with
the transparency report was 24 domains. Below is a sample of
some of the more prominent early adopters:
gmx.at
nic.br
registro.br
gmx.ch
open.ch
switch.ch
gmx.com
mail.com
xfinity.com
bund.de
fau.de
gmx.de
jpberlin.de
kabelmail.de
lrz.de
posteo.de
uni-erlangen.de
unitymedia.de
web.de
octopuce.fr
comcast.net
gmx.net
t-2.net
xs4all.net
mkbbelangen.nl
overheid.nl
uvt.nl
xs4all.nl
domeneshop.no
debian.org
freebsd.org
gentoo.org
ietf.org
isc.org
netbsd.org
openssl.org
samba.org
torproject.org
The gmx.de and comcast.net deployments cover tens of millions
of users.
Much of the early deployment (by domain count) is for small domains
hosted by a few large providers:
31859 transip.nl
15144 udmedia.de
1795 bhosted.nl
1261 nederhost.net
905 ec-elements.com
376 core-networks.de
208 omc-mail.com
181 hot-chilli.net
168 mailbox.org
164 networking4all.net
I expect to see more large populations of hosted domains to support
DANE TLS for SMTP by the end of this year, and the total to grow
by a factor of 10 or so.
--
Viktor.
More information about the cryptography
mailing list