Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
STARTTLS Everywhere
Search
Yan!
August 05, 2014
Programming
0
310
STARTTLS Everywhere
Yan Zhu and Jacob Hoffman-Andrews. PasswordsCon 2014.
Yan!
August 05, 2014
Tweet
Share
Other Decks in Programming
See All in Programming
Ruby×iOSアプリ開発 ~共に歩んだエコシステムの物語~
temoki
0
200
TDD 実践ミニトーク
contour_gara
1
280
AIレビュアーをスケールさせるには / Scaling AI Reviewers
technuma
2
240
Testing Trophyは叫ばない
toms74209200
0
560
JSONataを使ってみよう Step Functionsが楽しくなる実践テクニック #devio2025
dafujii
0
270
オープンセミナー2025@広島「君はどこで動かすか?」アンケート結果
satoshi256kbyte
0
240
Trem on Rails - Prompt Engineering com Ruby
elainenaomi
1
100
The Past, Present, and Future of Enterprise Java
ivargrimstad
0
320
複雑なドメインに挑む.pdf
yukisakai1225
5
960
Azure SRE Agentで運用は楽になるのか?
kkamegawa
0
1.3k
AIを活用し、今後に備えるための技術知識 / Basic Knowledge to Utilize AI
kishida
19
4.6k
Go言語での実装を通して学ぶLLMファインチューニングの仕組み / fukuokago22-llm-peft
monochromegane
0
110
Featured
See All Featured
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
126
53k
We Have a Design System, Now What?
morganepeng
53
7.8k
Embracing the Ebb and Flow
colly
87
4.8k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
185
54k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
9
800
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
358
30k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Site-Speed That Sticks
csswizardry
10
810
Building Better People: How to give real-time feedback that sticks.
wjessup
368
19k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
4k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
44
2.5k
The Cult of Friendly URLs
andyhume
79
6.6k
Transcript
STARTTLS Everywhere Peter Eckersley, Jacob Hoffman-Andrews, Yan Zhu Electronic Frontier
Foundation {pde, jsha,yan}@eff.org
SMTP email transmission is mostly insecure
ngrep -i password tcp port 25
None
None
Threat model 1. passive attackers 2. passive attacks w/ key
compromise 3. active attackers 4. sophisticated active attacks
Threat model 1. passive attackers turn on STARTTLS 2. passive
attacks w/ key compromise 3. active attackers 4. sophisticated active attacks
None
None
None
STARTTLS in/out of Gmail
It'd be nice to stretch that graph further back in
time https://github.com/EFForg/smtp-tls-history. git Email
[email protected]
if you'd like to run that on a large set of historical headers
2. passive attacks w/ sophisticated assistance (key theft)
What's the easiest way for eavesdroppers to read billions of
encrypted email transfers?
Session key 1 Session key 2 Session key 3 Session
key 4 Normal TLS: session keys linked to long-term private keys Sender's public key Receiver's public key
...steal the private keys Image: betty le bon
Session key 1 Session key 2 Session key 3 Session
key 4 “Perfect” Forward Secrecy: Extra crypto unbinds session keys from private keys Sender's public key Receiver's public key ECD H ECD H
How do we turn on Perfect Forward Secrecy correctly for
SMTP?
Simple answer: - support TLS v1.2 - protect against downgrade
attacks
Need a new policy mechanism to do that!
3. active network attacks
Unfortunately, active attacks are really easy...
How does SMTP-TLS work?
One side say “STARTTLS”, the other replies “STARTTLS”
None
The sender will fall back to insecure SMTP
Attackers can also “man in the middle”, speaking TLS themselves
Source: Facebook, May 2014
Threat model 1. passive attackers turn on STARTTLS 2. passive
attacks w/ key compromise 3. active attackers ??? 4. sophisticated active attacks
On the Web, we have the HSTS header for this
A quick pragmatic solution: STARTTLS Everywhere
git clone https://github.com/EFForg/starttls-everywhere.git
Main concepts: - Recipient security policy framework - Supports missing
functionality - Start with a centralized database - Multi-channel distribution
Related work DANE: fully distributed, uses DNSSEC SPF: Applies to
senders, not receivers
Scenario 1 (prototype, work in progress) git clone https://github.com/EFForg/starttls-everywhere.git #
Run our script, which does: while sleep 1d ; do git pull git tag --verify $LATEST_VERSION || exit ./MTAConfigGenerator.py --edit /etc/postfix ./FailureNotificationDaemon.py & done
Scenario 2 (common unix MTAs) apt-get install starttls-everywhere
Scenario 3 (large scale production) wget https://eff.org/starttls-everywhere/latest-db.json wget https://eff.org/starttls-everywhere/latest-db.sig gpg
--verify latest-db.sig latest-db.json || error-script MTAConfigGenerator.py latest-db.json -o mta-policy.cf your-deploy-script mta-policy.cf
Policy database is a set of JSON blobs:
// These match on the MX domain. "*.yahoodns.net": { "require-valid-certificate":
true, } "*.eff.org": { "require-tls": true, "min-tls-version": "TLSv1.1", "enforce-mode": "enforce" "accept-spki-hashes": [ "sha1/5R0zeLx7EWRxqw6HRlgCRxNLHDo=", "sha1/YlrkMlC6C4SJRZSVyRvnvoJ+8eM=" ] } "*.google.com": { "require-valid-certificate": true, "min-tls-version": "TLSv1.1", "enforce-mode": "log-only", "error-notification": "https://google.com/post/reports/here" }, } // Since the MX lookup is not secure, we list valid responses for each // address domain, to protect against DNS spoofing. "acceptable-mxs": { "yahoo.com": { "accept-mx-domains": ["*.yahoodns.net"] } "gmail.com": { "accept-mx-domains": [”*.gmail.com”, "*.google.com", ”*.googlemail.com”] # hypothetical }
demo time! https://eff.org/starttls
https://eff.org/join https://eff.org/starttls EFF depends on your support!
None