[Cryptography] Debunking the "SMTP TLS "s a mess" myth.

Viktor Dukhovni cryptography at dukhovni.org
Mon Oct 3 14:02:49 EDT 2016 

On Mon, Oct 03, 2016 at 11:50:34AM +0100, Ben Laurie wrote:

> On 3 October 2016 at 08:31, Stephen Farrell <stephen.farrell at cs.tcd.ie> wrote:
>
> > DANE's another attempt to improve things which may find a niche
> > where it does help. (SMTP/TLS in particular, but who knows maybe
> > back in the web later if something like [1] gets traction.)
> 
> SMTP/TLS is definitely a mess!

Actually, it is rather a success.  The fraction of SMTP traffic
that's encrypted in transit (between organizations over the public
Internet) may be larger than the corresponding metric for HTTP.

    https://www.google.com/transparencyreport/saferemail/

(TL;DR as observed by Gmail, varying by weekday, 84-87% outbound,
76--80% inbound).  Opportunistic TLS does a rather decent job of
defending most traffic against passive wiretap.

Yes, protection against active attacks is also desirable, hence
the interest in DANE and STS.  Today, there are at least (limited
by the extent to which I've been able to find them):

    ~2200 distinct DANE-validated MX host certificates, serving
    ~60700 DANE-enabled domains, of which enough volume is sent by
    ~76 to have appeared in the above Gmail transparency report

Of the 60700 domains, ~700 have DNS for some, but not all of their
MX hosts, so their DANE deployment is a work-in-progress.  A year
ago the domain count was around 12000 and the intersection with
the transparency report was 24 domains.  Below is a sample of
some of the more prominent early adopters:

    gmx.at
    nic.br
    registro.br
    gmx.ch
    open.ch
    switch.ch
    gmx.com
    mail.com
    xfinity.com
    bund.de
    fau.de
    gmx.de
    jpberlin.de
    kabelmail.de
    lrz.de
    posteo.de
    uni-erlangen.de
    unitymedia.de
    web.de
    octopuce.fr
    comcast.net
    gmx.net
    t-2.net
    xs4all.net
    mkbbelangen.nl
    overheid.nl
    uvt.nl
    xs4all.nl
    domeneshop.no
    debian.org
    freebsd.org
    gentoo.org
    ietf.org
    isc.org
    netbsd.org
    openssl.org
    samba.org
    torproject.org

The gmx.de and comcast.net deployments cover tens of millions
of users.

Much of the early deployment (by domain count) is for small domains
hosted by a few large providers:

    31859 transip.nl
    15144 udmedia.de
     1795 bhosted.nl
     1261 nederhost.net
      905 ec-elements.com
      376 core-networks.de
      208 omc-mail.com
      181 hot-chilli.net
      168 mailbox.org
      164 networking4all.net

I expect to see more large populations of hosted domains to support
DANE TLS for SMTP by the end of this year, and the total to grow
by a factor of 10 or so.

-- 
	Viktor.

More information about the cryptography mailing list