[Cryptography] What ever happened to end-to-end email encryption?
Viktor Dukhovni
cryptography at dukhovni.org
Sun Aug 22 01:09:36 EDT 2021
On Sat, Aug 21, 2021 at 01:44:56PM +0000, Henry Baker wrote:
> Check out this recent USENIX paper on STARTTLS in SMTP & IMAP;
> many email providers & email clients still can't achieve the basic
> requirement to not send email passwords in the clear.
>
> https://www.usenix.org/conference/usenixsecurity21/presentation/poddebniak
The paper is mostly old news, and the vulnerable applications (non-MTA
IMAP and SUBMIT servers and clients) are lately moving to implicit TLS
(ports 465 and 993). Of course their STARTTLS stacks should also have
the same fixes that MTAs applied 10 years ago.
> And we still blame the Russians for hacking emails?
The attacks in the paper are interesting, but not a significant threat
in practice, since they are sophisticated on-path attacks, and it is far
easier to send links to booby-trapped web sites, attach malware
executables, ...
My estimate of the number of users exploited via such attacks is exactly
zero.
--
Viktor.
More information about the cryptography
mailing list