> Am 03.08.2022 um 13:48 schrieb Sidsel Jensen via mailop <mailop@mailop.org>:
>
> We were having a discussion on the possibility to disable TLS 1.0 and 1.1 
> for MTA to MTA communication, and based on the numbers we've seen so far, it 
> doesn't look that far fetched.

As long as the MTA in question supports plaintext SMTP connections, disabling 
TLS 1.0 or 1.1 will not improve security of public, anonymous MTA to MTA 
connections, but *decrease* it, for the following reasons:

A TLS encrypted SMTP connection protects against eavesdropping or altering of 
messages through MITM attacks, which can be either passive or active:

a) An active MITM will simply strip off the STARTTLS keyword (always 
transmitted in the clear), thereby forcing the involved MTAs to fall back to 
plaintext communication. There are ready to be used tools to achieve that and 
it is infinitely easier to perform this attack than breaking even the oldest 
ciphersuites.
So with an active MITM it doesn‘t matter if a MTA supports TLS 1.0, 1.2 or 
whatever version, because no TLS at all will ever be part of the connection.

b) A passive MITM on the other hand will not be able to perform a downgrade 
attack (because well… he would be an active attacker in this case, for which 
see above). So if both MTAs support TLS 1.2 and a common ciphersuite, they are 
going to use that. It doesn‘t lower the security if one MTA additionally 
supports older SSL/TLS versions, as long as he tries with the newest first.
If however the other MTA *only* supports TLS 1.0, disabling this version on 
your MTA will result in the connection falling back to plaintext, at least the 
MTA software I know of behaves this way. So instead of seeing a TLS 1.0 
encrypted SMTP connection, which is next to impossible to break for a passive 
MITM, the attacker will instead be able to simply read everything in plaintext. 
Game over.

For those reasons I recommend (again for public, anonymous SMTP connections) to 
enable all SSL and TLS versions that the system in use provides. This holds 
true until unencrypted SMTP connections are disabled and/or DANE gets any 
widespread usage.

MTA-STS is out of scope here, since it restricts TLS to version 1.2 or higher 
anyway, regardless if a MTA would theoretically support older versions as well.

For selected targets where you know that they support TLS 1.2 it makes sense to 
enforce this of course. The same is true for MUA submission, which should be 
restricted to implicit TLS 1.2 or newer (no STARTTLS support).

Regarding the claims in this thread that TLS 1.0 would be as insecure as 
plaintext: I‘m honestly interested to learn about an attack against a TLS 1.0 
encrypted SMTP connection by a passive attacker.

—
BR Oliver
________________________________

dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de<mailto:dmt...@dm.de> * www.dmTECH.de<http://www.dmtech.de>
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher
________________________________
Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich 
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter 
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie 
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
hier<https://www.dm.de/datenschutzerklaerung-kommunikation-mit-externen-493832>.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Reply via email to