SoylentNews

bitstream [soylentnews.org] writes:

A group of independent security researchers and major US corporation giants like Microsoft, Google, Yahoo, LinkedIn, and Comcast have submitted a proposal for an encrypted email transport protocol called SMTP STS [ietf.org] (Strict Transport Security). That is supposed to plug the hole that spoofed STARTTLS responses can enable. In theory, this new extension looks like the HSTS (HTTP Strict Transport Security) extension to HTTPS. SMTP STS brings much like HSTS message confidentiality and server authenticity [softpedia.com] to the process of initiating an encrypted email communications channel. The new protocol also works with HTTPS to avoid SSL/TLS downgrades and MITM attacks. Last year, Oracle submitted a similar proposal called DEEP [ietf.org] (Deployable Enhanced Email Privacy).

There's a earlier protocol called DANE [wikipedia.org] with similar characteristics and the primary difference between the mechanism in SMTP STS and DANE is that DANE requires the use of DNSSEC to authenticate DANE TLSA records, whereas SMTP STS relies on the certificate authority (CA) system and a trust-on-first-use (TOFU) approach to avoid interception. The TOFU model allows a degree of security similar to that of HPKP [RFC7469 [ietf.org]], reducing the complexity but without the guarantees on first use offered by DNSSEC. In addition, SMTP STS introduces a mechanism for failure reporting and a report-only mode, enabling progressive roll-out and auditing for compliance.

Don't forget the smiley fact that had engineers with close ties to Google explode in profanity [slate.com].Splicing fibers between datacenters [arstechnica.com] that Google and Yahoo used wasn't popular.

Original Submission