
Security downgrade with IMAP STARTTLS leads to information leakage - based2
https://www.mozilla.org/en-US/security/advisories/mfsa2020-22/#CVE-2020-12398
======
corty
That is why one should always use the appropriate "s" port if possible, like
in imaps, pop3s or smtps. Then downgrade to TLS-less via fiddling with the
STARTTLS exchange maliciously or through a bug is impossible.

Imho STARTTLS needs to die. Maybe thats impossible for SMTP, but for
everything else we can and should get rid of it!

~~~
cm2187
SMTP needs to die too. Is there even a competing protocol in the pipeline that
would mandate encryption and prevent the spoofing of the sender? Every piece
of duck tape on top of smtp (startrls, spf, dkim) are optional, cannot be
relied on, and often isn’t relied on.

~~~
corty
Just use any modern IM protocol for that, like matrix, xmpp or maybe even one
of the proprietary ones. They all do what SMTP does and more, you would just
need to skin the client to look like a mail client to fool your users.

~~~
cm2187
I meant rather with the aim of progressively replacing smtp.

We complain about these protocols that are too widespread to ever be retired
but the reality is that TLS and http are managing the pace, ftp, pop and imap
are almost gone, and smtp is probably the last of the 1990s protocols that is
frozen in time while being a backbone of communications (and attack vectors)
on the internet.

~~~
corty
Maybe, but progressive replacement also got us dkim, spf and all that. So I'm
not sure that there is a possible way to do this for SMTP in any "good" way...

------
BuildTheRobots
I believe Dovecot can be configured not to even advertise AUTH capability
until after you've upgraded to TLS capability. Does anyone know if that would
stop this problem?

Saying that, someone with MITM capability could just modify the response and
advertise auth pre-tls, so it probably wouldn't help.

~~~
jlgaddis
> _Does anyone know if that would stop this problem?_

Based on my experiences with Dovecot, I believe it would,

> _Saying that, someone with MITM capability could just modify the response
> and advertise auth pre-tls, so it probably wouldn 't help._

Well, hopefully your client isn't braindead and will negotiate an encrypted
session first, before sending credentials unencrypted -- especially if you've
configured it to use STARTTLS.

------
pronoiac
Very helpful subtitle: "Security Vulnerabilities fixed in Thunderbird 68.9.0"

