On 8/9/21 9:46 AM, Thomas Walter via mailop wrote:
Hey guys,
Hi,
just a quick heads up on a paper that will be published at USENIX Security 21 about "A Security Analysis of STARTTLS in the Email Context".
Interesting. I'll have to keep an eye out for it.
Security researchers of our university and an independent researcher examined possible attacks on email clients and servers that use STARTTLS.They have found more than 40 vulnerabilities in STARTTLS implementations.
Did the researchers include protocol vulnerabilities and / or implementation vulnerabilities and / or configuration vulnerabilities?
E.g. Are they lamenting username & password over a clear channel when a server can be configured to require an encrypted channel before allowing authentication to send said username & password?
Their conclusion is that all vulnerabilities rely on the transition of an insecure connection to a secure connection.
Does the paper touch on -- what I understand to be -- the current preference from an RFC / IANA point of view to use a single port, as opposed to the multi-port preference from the late '90s / early '00s? Or, is the paper advocating for supporting cleartext and cyphertext on the same port and using sniffing to determine which is being used?
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
