Do not expect STARTTLS to automatically encrypt your email

Do not expect STARTTLS to automatically encrypt your email

 

The researchers questioned the Security Email. Although currently STARTTLS (plain text communication protocol extension) and three other security extensions have been applied, they still cannot effectively protect mail security, the main reason is that the number of active attacks remains high.

What does this mean? It is very likely that some modules of the email are in plain text; there is no mechanism to ensure that the message is not tampered with when it is sent to the recipient; and The Mail Transfer Protocol used by the email is too simple, this security expansion application cannot achieve the ideal purpose.

At the same time, when designed, the designer does not handle the confidentiality and integrity of information, but relies entirely on the extension of later development, therefore, "STARTTLS", "domain name key recognition mail standard (DIM)", "Sender Policy Framework (SPF)", and "Domain-based message authentication" often fail to work as expected.

The researcher wrote:

This random encryption security problem that sends messages in plaintext gives network attackers the opportunity to intercept and monitor emails. This attack will damage the network connection of STARTTLS and convert the transmitted information to a non-encrypted channel. We identified 4714 SMTP servers in 41405 ASes and put emails in dangerous status in 193 countries. We analyzed the emails sent to Gmail and found that over 20% of emails in seven countries were not encrypted. The most serious is the Gmail mail message sent from Tunisia, 96% of which were changed to plain text.

This discovery is based on the SMTP connection logs of Gmail between January 2014 and April 2015 and the SMTP server configuration query in the list of Alexa domain names in April 2015. According to Gmail data, the number of recipients protected by Transport Layer Security encryption increased by 82% within one year. The number of deliveries has increased by 54%, of which 80% are protected information. This has a significant impact on Yahoo, Outlook, and a few large email service providers that use STARTTLS.

According to statistics, about 0.77 million of SMTP servers still fail to protect their systems. Although 82% of websites support TLS, only 35% of them are correctly configured: Only one server is allowed to encrypt and authenticate itself to another server.

STARTTLS Problems

The researchers also found evidence that led to STARTTLS failure to work as expected. Like many security mechanisms, STARTTLS is designed as "Open emergency" rather than "Closed emergency ". This means that when some errors occur, the server will send emails in unencrypted form instead of stopping sending emails.

Network attackers can use this design to send certain data packet triggering errors. Although the overall proportion of Gmail emails changed to plain text is relatively small, in Tunisia, TLS for 96% of emails has been processed.

"It is not always malicious to process TLS from an SMTP connection device. Many devices may only be used for some legal actions." "But no matter what the intention is, this technology still causes emails to be sent to the public internet in plain text, increasing the chance of eavesdropping and other attacks."

 

The evidence also shows that domain name system records are often incorrect, and attackers will redirect emails to the servers they control rather than the expected targets. More than 178000 public DNS servers provide invalid IP addresses or email records, such as gmail.com, yahoo.com, outlook.com, qq.com, or mail.ru.

The report concluded that although the email service provider continues to use STARTTLS, there is no way to ensure that emails will be encrypted during the transfer from one server to another. We can choose to use GPG or MIME to ensure the confidentiality of the email.