On 13/02/18 17:03, Viktor Dukhovni wrote:
> Sorry, you're right, the client has to enforce TLS, whether implicit
> or not. Some clients try multiple ports and multiple operating modes,
> so might also try port 25 in the clear, 465 with TLS and 587 with or
> without STARTTLS. Such clients are subject to MiTM. The server
> should also insist on TLS, to better train its clients, but the
> primary burden to ensure security is on the client.
Right and here you're referring to the auto-configuration feature on
most modern clients. If a server is correctly configured to not allow
plain text authentication in any means but a client's auto-configure
picks up a working auth on a plain text connection then it would seem to
me that a MITM is active. This would become apparent as soon as the
plain text connection is attempted when the MITM is no longer there,
though as the auto-configured settings would be saved.
The main difference between this and the previously-mentioned
opportunistic STARTTLS that older clients offer is that those older
clients will fall back to plain text at any given time, not just during
auto-configuration. This makes the attack vector more dangerous, imo
because it would not become apparent to the user that anything is wrong
when this happens or when the MITM goes away, it would all appear to
just work normally the entire time.