STARTTLS Email Encryption Improperly Configured By Smaller Providers, Say Researchers

Status
Not open for further replies.

igot1forya

Distinguished
Jun 27, 2008
590
0
18,980
0
STARTTLS is the SMTP command to engage the TLS encryption layer. TLS is the actual encryption the article references. TLS downgrade attacks are common because email is meant to "just work", as a result legacy unencrypted SMTP is used as a backup whenever a server encounters a faulty TLS session or none at all. The best way to avoid these situations is to simply ban non-TLS servers or score their email reputation higher (generating a high level of SPAM bounces) unless they use a TLS capable smart-host to facilitate their encryption policy if their native server can't do it. It's just lazy to not have TLS.
 

Darkk

Distinguished
Oct 6, 2003
615
0
18,980
0
Until TLS and SSL Certs are required for ALL e-mail servers we have to resort to 3rd party encryption like OpenPGP and Citrix Sharefile.
 
Status
Not open for further replies.

ASK THE COMMUNITY

TRENDING THREADS