Hey guys,
just a quick heads up on a paper that will be published at USENIX
Security 21 about "A Security Analysis of STARTTLS in the Email Context".
Don't panic! Or as quoted from the document:
> How important is this?
> [It's not the most important thing you should worry about today.]
> (https://www.ipcc.ch/assessment-report/ar6/)
Security researchers of our university and an independent researcher
examined possible attacks on email clients and servers that use STARTTLS.
They have found more than 40 vulnerabilities in STARTTLS implementations.
https://nostarttls.secvuln.info/
Their conclusion is that all vulnerabilities rely on the transition of
an insecure connection to a secure connection.
> Implicit TLS does not have such a transition and is therefore not
vulnerable to any of these attacks. We therefore consider implicit TLS a
more secure option than STARTTLS.
Which I think most of us already knew/expected?
While it does not seem to be an urgent issue, it might help if we'd get
people to switch to implicit TLS where possible…
Regards,
Thomas Walter
--
Thomas Walter
Datenverarbeitungszentrale
FH Münster
- University of Applied Sciences -
Corrensstr. 25, Raum B 112
48149 Münster
Tel: +49 251 83 64 908
Fax: +49 251 83 64 910
www.fh-muenster.de/dvz/
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
