We have seen discussions recently about how attackers can interfere with SMTP TLS, influencing connections, and causing them to be downgraded to insecure — SMTP without TLS. E.g. Ars Technica’s – “Don’t Count on STARTTLS to Automatically Encrypt your Sensitive Emails“.
What is being discussed here is a very real attack on Opportunistic TLS. I.e. the kind of automated establishment of encryption that can happen when two email servers being their dialog and discover that “hey, great, we both support TLS so lets use it!” In such cases, servers take the “opportunity” to use TLS to encrypt the delivery of an email message from one server to another. Opportunistic TLS is great as it is enabling automatic encryption of more and more email over time (see: Who supports TLS?).
The problem is that the initial negotiation of the SMTP email connection, before TLS is established, occurs over an insecure channel. A man-in-the-middle attacker can interfere with this connection so that it appears that TLS (i.e. the STARTTLS command) is not supported by the server (when it really is). As a result, the sending server will never try to use TLS and the connection will remain insecure — transmitting the email message “in the clear” and ripe for eavesdropping.
Read the rest of this post »