Stories
Slash Boxes
Comments

SoylentNews is people

Submission Preview

Link to Story

Don’t count on STARTTLS to automatically encrypt your sensitive e-mails

Accepted submission by darkfeline at 2015-10-31 00:55:34
Digital Liberty

http://arstechnica.com/security/2015/10/dont-count-on-starttls-to-automatically-encrypt-your-sensitive-e-mails/ [arstechnica.com]

This isn't really new news, but improperly configured mail services result in lots of privacy holes across the Internet.

STARTTLS is used to upgrade an unencrypted connection to an encrypted SSL/TLS connection. The problem is that if the upgrade fails, many mail clients will proceed to send mail on the unencrypted connection.

For any sysadmins (technical info):

Unfortunately, the situation is somewhat sticky. I suggest reading carefully the TLS/SSL section of https://wiki.debian.org/PostfixAndSASL [debian.org] as well as the STARTTLS RFC http://tools.ietf.org/html/rfc2487 [ietf.org]

Public email servers should not require STARTTLS (that is, encryption) on port 25 (smtp). Furthermore, there is no guarantee that all of the mail servers during transit of an email use encryption. Thus, you should assume your email is transmitted unencrypted, until a better solution emerges. You can always use OpenPGP to encrypt the body of your email, which should become commonplace shortly after Hurd achieves market dominance.


Original Submission