It’s also worth noting that STARTTLS is not your only option for adding encryption to your email traffic. This does not represent an overall vulnerability in the STARTTLS protocol extensions but vulnerabilities in specific implementations of STARTTLS in various servers and clients. They do not list any vulnerabilities for Microsoft 365, Exchange, or the desktop Outlook client. The full list of vulnerabilities is available at and includes common mail clients such as Outlook for Android, Thunderbird, and more as well as vulnerabilities in mail servers such as Courier and Dovecot as well as some services such as Yahoo and Gmail. This past week some researchers published recent findings that document 40 vulnerabilities in various STARTTLS implementations. STARTTLS is an extension to these protocols RFC 2595 and RFC3207 that allows the client and server to encapsulate encrypted TLS traffic inside the normally clear text protocols. In the case of SMTP, POP3, and IMAPv4 those extra steps come from something known as Opportunistic TLS, or STARTTLS. Which means without extra steps, anyone watching you download your email to your mail client can read your email.Īll modern mail clients and servers now have extra steps that have been added on to these protocols to allow for encrypted communication. In the case of SMTP, POP3, and IMAPv4, all of these protocols by default do not use any encryption so any traffic transmitted with these protocols can be observed by anyone watching your traffic. Like most technology that has been around for a long time, security was an afterthought added after the technology was widely used. While SMTP handles the transfer of email between mail servers, POP3 and IMAP are protocols that define how a user can access the mail in their mailbox.Įmail and the protocols that define how we send and receive email have been around for a long time.
Then came the Internet Message Access Protocol (IMAP) with the latest version (v4) defined by RFC 3501 in March 2003. The Post Office Protocol (POP) came next with the current version, POP3, originally defined in RFC 1081 in November of 1988 and then extended in RFC 1939 in May of 1996. Standardized protocols for delivery of email came later, with Simple Mail Transfer Protocol (SMTP) defined in RFC 772 in September 1980 as the primary means to transfer email between mail servers. The first electronic mail, later dubbed email, was sent to users of MIT’s Compatible Time-Sharing System in 1965. Multiple Mail Maladies, Vulnerabilities in STARTTLS and ExchangeĤ0 Vulnerabilities Discovered in Various STARTTLS Implementations
0 kommentar(er)
