SMTP Strict Transport Security
It is no secret that email has been a weak point in the security of the standard Internet protocol suite for quite some time. While improvements to HTTP and TLS have resulted in more robust web security, mail transfer has lagged behind. Now, a new draft RFC has been submitted to the Internet Engineering Task Force (IETF) that may make SMTP connections substantially more secure, closing loopholes that have made mail transfer vulnerable to man-in-the-middle and cryptographic-downgrade attacks.
The draft is called SMTP Strict Transport Security (SMTP STS), and it was first posted on March 18. The authors work for a variety of well-known technology companies and ISPs, including Google, Yahoo, Comcast, Microsoft, LinkedIn, and 1&1 Internet. It sets out a standard by which a mail server can publish an STS Policy that defines how mail transfer agents (MTAs) can connect using TLS, how they can validate the server's TLS certificate, and what they should do in the case that a TLS session cannot be correctly established. As the name implies, SMTP STS is similar in design to HTTP Strict Transport Security (HSTS), defined in RFC6797.
SMTP was originally defined in RFC821, long before TLS (or SSL) were invented, and sent all messages in the clear. The STARTTLS extension (RFC3207) added support for TLS transport in 2002. Although reports are that STARTTLS has proven popular with mail providers, it suffers from some severe shortcomings.
First, the TLS session is subject to downgrade attacks. In the SMTP session-establishment handshake, the STARTTLS command is sent from one machine to the other, in the clear. Upon receipt, the remote machine is intended to respond by initiating a TLS handshake before the SMTP session continues. But an attacker sitting in between the two machines can simply intercept and drop the STARTTLS command (or overwrite it with garbage), in which case the SMTP session will continue in plaintext.
The second shortcoming is that, in a STARTTLS handshake, client machines do not attempt to verify that the TLS certificate presented by the server actually belongs to the expected domain. Here again, an attacker in the middle can intercept the genuine certificate and replace it with a fraudulent one, without the client knowing the difference.
SMTP STS defines a way for a mail server to publish a public record that TLS is available and that SMTP clients should thus use it when making connections. This record is the STS Policy, and has seven mandatory fields:
- v - the SMTP STS version. Only a value of STS1 is supported.
- to - a boolean indicating whether the server is "TLS Only." If true, then clients who encounter errors in the TLS setup must not deliver any mail to the server.
- mx - a comma-separated list of domains for which the policy applies.
- a - the authentication mechanism clients should use to verify that the policy is authentic. The supported mechanisms are DNSSEC and an HTTPS URI at which the client can separately request the policy and verify that the two copies are identical.
- c - the validation method clients should use to verify the authenticity of the server's TLS certificate. The supported methods are DANE TLSA (RFC7672) and verifying the PKI trust chain on the certificate back to a root certificate authority (that is, traditional TLS identity checking as specified in RFC6125).
- e - the maximum lifetime of the policy.
- rua - the address to which feedback and errors may be reported by the client.
A server can publish its STS Policy at https://example.com/.well-known/smtp-sts or via DNS as a TXT record under the name _smtp_sts.example.com. The draft document further specifies that any errors reported to a server by clients should contain details about where unexpected results were encountered: an expired certificate, a DNSSEC failure, a certificate that does not match the server's domain, and so forth.
As Lucian Constantin at InfoWorld pointed out, one possible security loophole is that the first time a client connects to a server, it has no cached copy of the server's STS Policy to compare, so a man-in-the-middle attacker could, in theory, intercept the first request and return a forged policy instead. That forged policy would, by necessity, include an a field similarly doctored to direct the client to an attacker-controlled server when authenticating the policy.
The draft's support for DNS-based policy publishing provides the means for some additional robustness against man-in-the-middle attacks over what is offered by TLS identity checking. If a server's STS Policy is published as a TXT record in a DNSSEC-protected zone, clients can verify its authenticity. Furthermore, the c field can be used to specify that a DANE TLSA record for the server's TLS certificate is required for validation. Thus, an attacker would have to compromise the DNSSEC server in addition to intercepting the SMTP handshake.
The draft also notes that clients are not obligated to accept STS Policies the first time they retrieve them from a server. Instead, they are permitted to use the rua reporting mechanism to tell the server's administrators what they saw. That report can be sent "offline" or during a different session, potentially allowing failures and suspicious reports to be routed around a man-in-the-middle attack. Such a reporting feature is not found in HSTS; nevertheless, SMTP STS is still a "trust on first use" system.
The authors of the draft list two other options to be considered for future inclusion in STMP STS as well. They are certificate pinning, in which a policy could specify specific certificates that must appear in the certificate-validation chain, and policy distribution, in which sites' policies could be recorded and publicly tracked.
The draft also speculates that it could be worthwhile for a policy to specify the list of cryptographic ciphers and TLS versions that the server accepts, and perhaps to specify that all mail received from the server's domain should be expected to arrive over TLS. The latter feature would, in theory, allow a mail server to check for an STS Policy for incoming mail domains and, thus, reject mail that is "supposed to" arrive over TLS but does not. The draft notes, however, that such a policy would come with its share or potential man-in-the-middle attacks to be guarded against, and may not offer significant gains.
STARTTLS has, no doubt, improved the security of e-mail transfer,
but it is far from complete. SMTP STS hopefully closes some of the
more egregious holes.
| Index entries for this article | |
|---|---|
| Security | |
Posted Apr 21, 2016 7:21 UTC (Thu)
by fredrik (subscriber, #232)
[Link] (9 responses)
It seems a waste to use a legacy clear text protocol solely for the purpose to upgrade with STARTTLS, when you can just as well initiate TLS immediately on first connect.
I'm sure that if the big players agreed to use SMTPS by default, and deploy a HTST-like solution to deprecate the use of the regular port 25, the internet as a community could obsolete a clear text, downgrade and MIM attack vulnerable infrastructure in a few years.
I wouldn't have thought a large shift proposal like that was possible a few years ago. Through recent years trend to migrate to HTTPS by default on most big services, HTST, HTTP/2 being TLS mostly, and Lets encrypt, we've seen that better standards can be introduced very quickly when the big players agree on sensible non-proprietary solutions and lead the way.
Aside from that I'm happy to see that DANE is included in the proposal as an alternative to the use of the more or less broken certificate trust chain infrastructure.
Posted Apr 21, 2016 8:44 UTC (Thu)
by grawity (subscriber, #80596)
[Link] (8 responses)
How would it help? You still need a way of knowing whether the server supports the new security protocol, whether it's STARTTLS or the traditional SMTPS-on-465 (which, by the way, has already been reallocated to a different protocol years ago). If firewalls can strip the string "STARTTLS" from packet data, it's even easier to block all TCP port 465 connections. A fake TCP RST is nearly indistinguishable from a real one, and once you receive an -ECONNREFUSED, you have to fall back to regular port 25 anyway, because the world isn't going to enable SMTPS in a blink. As for "the regular TLS certificate trust infrastructure for HTTPS, or DANE, could then be reused…", well, isn't that exactly the same as now?
Posted Apr 21, 2016 14:49 UTC (Thu)
by raven667 (subscriber, #5198)
[Link]
Thats where the reference to STS comes in, you add a new capability flag to EHLO that signifies that all further communication with that server should happen over TLS directly, so the first connection caches that information and all subsequent connections can't be downgraded because they aren't relying on checking for a cleartext STARTTLS flag every time. Of course if the first connection you make strips this info, then you can be downgraded, just like with SSH or other protocols that cache security relevant information on first connection, but that's a different kind of risk.
Over time you can switch clients to TLS by default and will see fewer and fewer clients who need the hinting or require the fall back cleartext protocol, giving you a real sense of when you can safely sunset to old protocol.
Posted Apr 21, 2016 14:53 UTC (Thu)
by eduard.munteanu (guest, #66641)
[Link]
1. You're an opportunistic user - you do choose to fall back to unsecured SMTP, but you don't really need a secure connection anyway
2. You mandate a secure connection - you don't fall back and do not use the service
A man in the middle can deny service, but we already knew that.
Posted Apr 21, 2016 21:40 UTC (Thu)
by fredrik (subscriber, #232)
[Link] (4 responses)
Yes, short term it wouldn't be any better than today, or today plus a slightly modified version of the SMTP-STS proposal. And yes, we'd need to establish a new port number for STMPS. And indeed, in the short term we would probably have to support the STARTTLS upgrade negotiable, but initially plain text, communication channel on port 25 too. As a deprecated fallback.
But, after a while I'm suggesting that many email admins would say: Hey, apart from legacy spam bots, I don't get a whole lot of authentic email over port 25. It all goes to the new port XX25/TLS. You know what, I'm just going to stop accepting email on port 25.
As a poor analogy, your ssh client doesn't bother checking if it can fallback to the telnet or rlogin port if it fails on port 22. It just fails with connection refused. That's my future, no plain text fallback to anything, just encrypt or fail. And no pointless plain text upgrade when all servers have made STARTTLS mandatory anyway.
Posted Apr 21, 2016 22:11 UTC (Thu)
by neilbrown (subscriber, #359)
[Link] (3 responses)
I don't think you remove it, just reduce and hide it.
The TCP connection to this new port starts with "SYN" "SYN-ACK" , "ACK", which are all plain "text".
Posted Apr 22, 2016 2:43 UTC (Fri)
by raven667 (subscriber, #5198)
[Link] (2 responses)
Posted Apr 22, 2016 2:59 UTC (Fri)
by neilbrown (subscriber, #359)
[Link] (1 responses)
Both ends of the connection can choose which levels of security are acceptable. A MITM attacker can always force the connection to use the lowest mutually acceptable level. The particular details of the negotiation are only of interest to implementers.
Posted Apr 22, 2016 16:01 UTC (Fri)
by raven667 (subscriber, #5198)
[Link]
A better question is why not just have clients cache the highest level of protocol you've detected for any particular server, and not allow negotiations to any lower version of protocol, my guess is that this has been thought through more clearly by the implementers who found that explicit notification from the server to engage this behavior fixes some corner cases. Many servers who offer STARTTLS today do so with invalid or expired certificates, I'm not even sure it's well defined what should be verified in the certificate to validate a connection today, you would not want clients to reject invalid certificates deployed today, but you would want to reject invalid certificates if the server owner has signaled that they expect them to be valid. Even better is that this policy signalling is out of band, via HTTPS or DNSSEC, that is harder to MITM today.
Posted Apr 25, 2016 8:35 UTC (Mon)
by jond (subscriber, #37669)
[Link]
Oh wow. I noticed that it said something different in `/etc/services` recently, but I hadn't put two-and-two together. I never turned off SMTPS. I'm pretty surprised they reallocated that port, it seems a bit premature.
Posted Apr 21, 2016 15:01 UTC (Thu)
by josh (subscriber, #17465)
[Link] (1 responses)
- How many support direct SMTPS connections on the SMTPS port?
- How many only support STARTTLS?
- Of each of those two categories, how many use a certificate that doesn't validate for the mail server's domain?
Posted Apr 25, 2016 8:37 UTC (Mon)
by jond (subscriber, #37669)
[Link]
Posted Apr 21, 2016 18:21 UTC (Thu)
by shane (subscriber, #3335)
[Link]
"Thus, an attacker would have to compromise the DNSSEC server in addition to intercepting the SMTP handshake."
Just to be clear, a DNS server may or may not be a "DNSSEC server" (this is not a term that is normally used in DNS).
DNSSEC is designed so that the DNS servers can be compromised and it would still not allow an attacker to send unauthorized answers. The DNS zones can be signed offline or with a HSM (hardware security module), and in either case compromising the DNS server would not help, since the keys needed to make an invalid version of the zone are not available.
Some DNS servers do online signing (PowerDNSSEC works this way, as does the proprietary CloudFlare DNS service). Also, a lot of DNS servers do keep the keys on unencrypted disks (I run my own servers like this, because the operational annoyance doesn't justify the additional security gained for my vanity domains). In all of these cases a compromise of the DNS server would indeed allow an attacker to send the DNS answers that it wants to complete the attack on the SMTP service.
Posted Apr 24, 2016 22:29 UTC (Sun)
by Nikratio (subscriber, #71966)
[Link]
Posted Apr 26, 2016 11:48 UTC (Tue)
by robbe (guest, #16131)
[Link]
This is prevented by the following requirement (from section 3.3 of the linked draft):
| [...], and MUST be served from an HTTPS endpoint at the domain
Maybe „matching“ could do with a better definition (does https://infected.example.com/... „match“ for example.com?), but it’s not as easy as pointing the client to https://evil.org/ outright.
The real attack scenario, and the reason, why SSTS, like HSTS, relies on caching, is the MITM attacker filtering DNS requests, so that the client never gets the TXT record. If the attacker is able to do this outright, the client will never learn the server’s SSTS policy. But once an unfiltered connection is made, the policy is loaded, verified, and cached … which makes subsequent attacks of this type fail.
SMTP Strict Transport Security
SMTP Strict Transport Security
SMTP Strict Transport Security
SMTP Strict Transport Security
SMTP Strict Transport Security
SMTP Strict Transport Security
So the client will always have to send some data which is open to snooping and accept some which is open to forging. The only difference between SMTPS and STARTTLS is how the secure components are encapsulated. That isn't a very interesting difference.
SMTP Strict Transport Security
SMTP Strict Transport Security
I don't see how that it different to a deliberate choice to abort a connection if STARTTLS isn't offered, or fails.
SMTP Strict Transport Security
SMTP Strict Transport Security
SMTP Strict Transport Security
SMTP Strict Transport Security
How to compromise DNSSEC
Not up to LWN standards
SMTP Strict Transport Security
> doctored to direct the client to an attacker-controlled server when
> authenticating the policy.
| matching that of the recipient domain.