Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
STARTTLS Everywhere
Search
Yan!
August 05, 2014
Programming
0
310
STARTTLS Everywhere
Yan Zhu and Jacob Hoffman-Andrews. PasswordsCon 2014.
Yan!
August 05, 2014
Tweet
Share
Other Decks in Programming
See All in Programming
WebViewの現在地 - SwiftUI時代のWebKit - / The Current State Of WebView
marcy731
0
100
システム成長を止めない!本番無停止テーブル移行の全貌
sakawe_ee
1
150
Composerが「依存解決」のためにどんな工夫をしているか #phpcon
o0h
PRO
1
240
GitHub Copilot and GitHub Codespaces Hands-on
ymd65536
1
130
PHP 8.4の新機能「プロパティフック」から学ぶオブジェクト指向設計とリスコフの置換原則
kentaroutakeda
2
660
Systèmes distribués, pour le meilleur et pour le pire - BreizhCamp 2025 - Conférence
slecache
0
110
Result型で“失敗”を型にするPHPコードの書き方
kajitack
4
520
5つのアンチパターンから学ぶLT設計
narihara
1
120
ruby.wasmで多人数リアルタイム通信ゲームを作ろう
lnit
2
290
第9回 情シス転職ミートアップ 株式会社IVRy(アイブリー)の紹介
ivry_presentationmaterials
1
250
20250613-SSKMvol.15
diostray
0
100
コードの90%をAIが書く世界で何が待っているのか / What awaits us in a world where 90% of the code is written by AI
rkaga
48
31k
Featured
See All Featured
Rebuilding a faster, lazier Slack
samanthasiow
82
9.1k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.3k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
2.9k
Become a Pro
speakerdeck
PRO
28
5.4k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
Optimising Largest Contentful Paint
csswizardry
37
3.3k
What's in a price? How to price your products and services
michaelherold
246
12k
Building an army of robots
kneath
306
45k
Building Applications with DynamoDB
mza
95
6.5k
Making Projects Easy
brettharned
116
6.3k
Into the Great Unknown - MozCon
thekraken
39
1.9k
Transcript
STARTTLS Everywhere Peter Eckersley, Jacob Hoffman-Andrews, Yan Zhu Electronic Frontier
Foundation {pde, jsha,yan}@eff.org
SMTP email transmission is mostly insecure
ngrep -i password tcp port 25
None
None
Threat model 1. passive attackers 2. passive attacks w/ key
compromise 3. active attackers 4. sophisticated active attacks
Threat model 1. passive attackers turn on STARTTLS 2. passive
attacks w/ key compromise 3. active attackers 4. sophisticated active attacks
None
None
None
STARTTLS in/out of Gmail
It'd be nice to stretch that graph further back in
time https://github.com/EFForg/smtp-tls-history. git Email
[email protected]
if you'd like to run that on a large set of historical headers
2. passive attacks w/ sophisticated assistance (key theft)
What's the easiest way for eavesdroppers to read billions of
encrypted email transfers?
Session key 1 Session key 2 Session key 3 Session
key 4 Normal TLS: session keys linked to long-term private keys Sender's public key Receiver's public key
...steal the private keys Image: betty le bon
Session key 1 Session key 2 Session key 3 Session
key 4 “Perfect” Forward Secrecy: Extra crypto unbinds session keys from private keys Sender's public key Receiver's public key ECD H ECD H
How do we turn on Perfect Forward Secrecy correctly for
SMTP?
Simple answer: - support TLS v1.2 - protect against downgrade
attacks
Need a new policy mechanism to do that!
3. active network attacks
Unfortunately, active attacks are really easy...
How does SMTP-TLS work?
One side say “STARTTLS”, the other replies “STARTTLS”
None
The sender will fall back to insecure SMTP
Attackers can also “man in the middle”, speaking TLS themselves
Source: Facebook, May 2014
Threat model 1. passive attackers turn on STARTTLS 2. passive
attacks w/ key compromise 3. active attackers ??? 4. sophisticated active attacks
On the Web, we have the HSTS header for this
A quick pragmatic solution: STARTTLS Everywhere
git clone https://github.com/EFForg/starttls-everywhere.git
Main concepts: - Recipient security policy framework - Supports missing
functionality - Start with a centralized database - Multi-channel distribution
Related work DANE: fully distributed, uses DNSSEC SPF: Applies to
senders, not receivers
Scenario 1 (prototype, work in progress) git clone https://github.com/EFForg/starttls-everywhere.git #
Run our script, which does: while sleep 1d ; do git pull git tag --verify $LATEST_VERSION || exit ./MTAConfigGenerator.py --edit /etc/postfix ./FailureNotificationDaemon.py & done
Scenario 2 (common unix MTAs) apt-get install starttls-everywhere
Scenario 3 (large scale production) wget https://eff.org/starttls-everywhere/latest-db.json wget https://eff.org/starttls-everywhere/latest-db.sig gpg
--verify latest-db.sig latest-db.json || error-script MTAConfigGenerator.py latest-db.json -o mta-policy.cf your-deploy-script mta-policy.cf
Policy database is a set of JSON blobs:
// These match on the MX domain. "*.yahoodns.net": { "require-valid-certificate":
true, } "*.eff.org": { "require-tls": true, "min-tls-version": "TLSv1.1", "enforce-mode": "enforce" "accept-spki-hashes": [ "sha1/5R0zeLx7EWRxqw6HRlgCRxNLHDo=", "sha1/YlrkMlC6C4SJRZSVyRvnvoJ+8eM=" ] } "*.google.com": { "require-valid-certificate": true, "min-tls-version": "TLSv1.1", "enforce-mode": "log-only", "error-notification": "https://google.com/post/reports/here" }, } // Since the MX lookup is not secure, we list valid responses for each // address domain, to protect against DNS spoofing. "acceptable-mxs": { "yahoo.com": { "accept-mx-domains": ["*.yahoodns.net"] } "gmail.com": { "accept-mx-domains": [”*.gmail.com”, "*.google.com", ”*.googlemail.com”] # hypothetical }
demo time! https://eff.org/starttls
https://eff.org/join https://eff.org/starttls EFF depends on your support!
None