STARTTLS Email Encryption Improperly Configured By Smaller Providers, Say Researchers

[Lucian Armasu]

Researchers from Google and several universities discovered that STARTTLS encryption is not adequately implemented at most of the other smaller email providers, which can lead to easy interception by attackers with network access.

STARTTLS Email Encryption Improperly Configured By Smaller Providers, Say Researchers : Read more

 

[igot1forya]

STARTTLS is the SMTP command to engage the TLS encryption layer. TLS is the actual encryption the article references. TLS downgrade attacks are common because email is meant to "just work", as a result legacy unencrypted SMTP is used as a backup whenever a server encounters a faulty TLS session or none at all. The best way to avoid these situations is to simply ban non-TLS servers or score their email reputation higher (generating a high level of SPAM bounces) unless they use a TLS capable smart-host to facilitate their encryption policy if their native server can't do it. It's just lazy to not have TLS.

 

[Darkk]

Until TLS and SSL Certs are required for ALL e-mail servers we have to resort to 3rd party encryption like OpenPGP and Citrix Sharefile.