Hi all, following the talk of Eleanor Saitta at Noisy2 (https://noisysquare.com/ethics-and-power-in-the-long-war-eleanor-saitta-dymaxion/), some private discussion with Moritz Blatz and some discussion with activists of autistici regarding the effective privacy of security-enhanced email services, i realized that we does not have an objective vision of which is the status of of security in SMTP email exchange (between SMTP servers). We need to answer several question from several perspectives in order to evaluate, for a later improvement, which is the link-level-security of email transport between SMTP servers on the internet.
*From an internet architecture perspective:* * "Which is the status of security in SMTP email exchange on the internet?" . * From the top-30 global email provider and from the top-10 of each major country: - which of them offer SMTP/TLS when sending email? - which of them accept SMTP/TLS when receiving email? With those data the ISPs could be challenged to introduce some better link-level-security . *From a software perspective:* * Which of the 10 most used SMTP software in the world (commercial and opensource): - do offer by default SMTP/TLS when sending email? - do accept by default SMTP/TLS when receiving email? With those data the software vendor could be challenged to improve the "default" of link-level-security, introducing a default-opportunistic encryption. *From an analysis perspective:* * Which of the major email log analysis platform support: - Analyzing which of the remote SMTP server we send email to, or receive email from do support SMTP/TLS, which do not support, which support partially and/or give specific errors * Which kind of massive-scale-analysis could be approached (internet-wide scanning) to map the status of email security? * Which of them support also TLS compression and SMTP PIPELINING (making it more difficult to carry on timing correlation attacks to SMTP traffic) ? With those data we could effectively enable centralized / diffused collection of data regarding the "current status" of the internet with the regards of this email security issues. *From a proactive perspective:* * How could we implement a set of standard measure to improve the amount of servers supporting SMTP/TLS? One idea here would be to have an email server that does only SMTP/TLS for inbound and outbound communications and that automatically send abuse-alike emails to email/domain/IP owners communicating them of a "URGENT Security Problem". Another idea would be to make a "hall of shame" of all non-security SMTP provider and/or to aggregate all of them to a DNS-list in order to have a "Secure by default, but with some exception" SMTP/TLS exchange. Others for sure exists. As Eleanor Saitta underlined, improving the security of SMTP email exchange over the internet, would greatly challenge massive wiretapping programs for what's related to email interception, by attacking the cost/benefit that those carry on. Anyone willing to work on that kind of issues from a global internet perspective, requiring a lot of work in a lot of different areas, would be my personal heroes for 2014! -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - http://globaleaks.org - http://tor2web.org
-- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
