be Smart.
be Secure.
Phone: 800-441-6612

Does TLS Corruption Spell the end of SMTP TLS?

We have seen discussions recently about how attackers can interfere with SMTP TLS, influencing connections, and causing them to be downgraded to insecure — SMTP without TLS.  E.g. Ars Technica’s – “Don’t Count on STARTTLS to Automatically Encrypt your Sensitive Emails“.

What is being discussed here is a very real attack on Opportunistic TLS. I.e. the kind of automated establishment of encryption that can happen when two email servers being their dialog and discover that “hey, great, we both support TLS so lets use it!”  In such cases, servers take the “opportunity” to use TLS to encrypt the delivery of an email message from one server to another.  Opportunistic TLS is great as it is enabling automatic encryption of more and more email over time (see: Who supports TLS?).

The problem is that the initial negotiation of the SMTP email connection, before TLS is established, occurs over an insecure channel.  A man-in-the-middle attacker can interfere with this connection so that it appears that TLS (i.e. the STARTTLS command) is not supported by the server (when it really is).  As a result, the sending server will never try to use TLS and the connection will remain insecure — transmitting the email message “in the clear” and ripe for eavesdropping.

So, Can you Trust Opportunistic TLS for Sensitive Emails?

No. This article and the surrounding discussion is completely correct in that you cannot trust opportunistic TLS to secure sensitive email messages!  This is because:

  1. The server’s configurations can change without notice (on purpose, by accident, or via malicious design) to stop it from supporting TLS and thus stop messages from being encrypted.
  2. A man-in-the-middle can modify the connections to prevent TLS from being negotiated.

So, is TLS Useless?

No. TLS is still very useful for sending sensitive email messages.  The problem with this discussion is that use of TLS is being posed as an option where on the one hand you have encryption and on the other hand you don’t.  This is true of Opportunistic TLS.  However, this is not true of Forced TLS.

With Forced TLS, the sending server:

  1. Knows that the recipient server should support TLS ahead of time.
  2. Tries to negotiate TLS with the recipient server when messages are to be delivered there.
  3. If use of TLS fails (e.g. for any of the reasons given above), then the message is simply NOT SENT — it is queued and re-tried until a TLS connection is established and the message can be sent, or the sending server gives up.

With Forced TLS, messages are never delivered insecurely.

If you couple Forced TLS with other email encryption technologies, e.g. SecureLine Escrow (which encrypts the message and stores it in a databases for the recipient to come and pick up via a secure portal), you have a system where you can deliver messages securely to any recipient, even ones that do not have a TLS-enabled email system.  Of course, there is also the question of if TLS by itself is “good enough” for your email encryption needs.  If it is not, then this issue is moot and you should stick with more secure technologies like Escrow, PGP, or S/MIME.

TLS is very useful and Forced TLS can be an important part of your email encryption strategy.

Users of LuxSci SecureLine who choose to use just TLS for secure email delivery are in fact using Forced TLS.  LuxSci automatically checks and confirms which domains support strong TLS on all of their email servers and force its use if they do, falling back to other technologies (such as Escrow) if they do not.  In fact, once LuxSci knows that a recipient domain supports TLS (because SecureLine users have sent to it and LuxSci has thus checked and confirmed), LuxSci Forces TLS to all recipients of that domain from all LuxSci users for added overall email security.

Comments are closed.

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries