Wednesday, September 29, 2010

STARTTLS support in Hotmail/Gmail

(Response from Gmail / Hotmail when issuing the starttls command for SMTP)
Google improves security in their Google Mail (Gmail) service, adding OAuth and other security features. Microsoft with their Live Hotmail service is hot on heels, announcing new security features as well. However I do have a feature request for security, still not mentioned anywhere by neither one of them.

I prefer Gmail for security reasons (Sept 29, 2010), and I've done so for quite a long time already. Without going too deeply into Risk Matrixes and economic discussions, starting out with results from the excellent SSLLABS public SSL database puts Gmail in the lead right away (scale from A downwards to F):

(Gmail SSL security rating by SSLLABS, Sept 28, 2010)

(Live Hotmail SSL security rating by SSLLABS, Sept 28, 2010)

I hope Ivan Ristic will forgive me for saying this (;-)), but I don't believe the majority of people understands the difference, neither do they care. Unfortunately. So for Ivan or anyone else; I would love to see yet another article on why this matters, and how it may affect my mom, my sisters and friends who doesn't understand or care. In other words; plaintext please. :-)

In April 2010 myself and a colleague of mine (KluZz) did a report on current deployment of RFC 3207 - SMTP service extension for secure SMTP over Transport Layer Security (TLS). We released it through our employer, available here (Norwegian only, sorry. Currently considering an updated English version, if time permits).

It was like discovering the dark side of the moon. Yes, seriously.

But enough for the self-advertisement, I'll get back to it in a later blogpost. The point of RFC 3207 is to enable simple and transparent mailserver-to-mailserver encryption. No, it's not a silver bullet. Still plenty of ways to circumvent, bypass and gain unauthorised access to information anyway, but that's not the point here. It is transparent to the end user (no education needed), it uses certificates for encryption (optionally also authentication, still waiting to see that happen....), and when implemented correctly allows for improved spam control, secure exchange of e-mail with specific domains and so on. At least that is my opinion.

Maybe best of all; it is very easy - and CHEAP - to deploy. Most mailservers supports using it, but it must be configured first. Any Linux consultant with a minimum of knowledge can do it in 30 minutes for Postfix. So why not?

Ask Microsoft. Ask Google. I would really appreciate to see RFC 3207 (STARTTLS) support implemented in accordance with the RFC, suggesting and requesting STARTTLS upon connections. It would for sure make it a little harder for unauthorised sniffing e-mail over the wire, both on the Internet as well as over corporate LAN/WAN connections. I even suggested it as an option to implement for Lyris in this blogpost a few days ago.

What they are doing now is promoting security between you (the user) and their service, improving one part of the chain. All communication between you and them will be encrypted and improved in regard of security. On the other side, between them and those who send you mail or your recipients, Hotmail/Gmail will still use unencrypted SMTP for communication. Deploying RFC 3207 support would increase that part of the chain as well. According to our numbers from April approximately 15% of all domains supports RFC 3207 today.

Look at it this way; by implementing RFC 3207 support at the mailservers of Hotmail and Gmail, 15% of all e-mail sent through them would suddenly be sent encrypted, transparent to the end user. Now that's probably a massive number of e-mails suddenly a little bit better protected!

Oh; and to Thunderbird developers (and others as well); any chance you could do a plugin that will analyze incoming mailheaders and colorize or inform me whether the e-mail was received using SSL/TLS, and from which mailserver/domain it actually came from by verifying the remote certificate? Thank you in advance. :-)

1 comment:

  1. Great test, i see that a domain that i use a great deal has a strange hostname in the reverse DNS zone :)


All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.