
STARTTLS Considered Harmful - vectorbunny
https://www.agwa.name/blog/post/starttls_considered_harmful
======
spindritf
_Port numbers are a limited resource._

That's actually a pretty good point and I wish more services used SRV records
to determine which host and port to use. HTTP 2.0 was a chance to implement it
for HTTP but the effort fizzled out after just a handful of comments in 2007
or so.

I also like the idea of squeezing other information into DNS, like
certificates, gpg keys, why not HSTS-like information too? Say, a TXT record
enforcing ssl, no exceptions (ssl=all). But all this hinges on DNSSEC which is
very unpopular here.

~~~
droopyEyelids
One reason DNSSEC is unpopular is that it fails to address the fact that
centralized PKI suffers from tons of problems. Those problems would defeat the
purpose of a gesture as serious as putting your gpg key in DNS.

~~~
oconnore
It always seems ridiculous to me that people are coming up with ways to cope
with universal CAs (Tack, Convergence, CRLSets, etc.), but can't imagine how
to apply those same ideas with a hierarchical system.

CAs are a problem that DNSSEC doesn't solve, but DNSSEC solves tons of other
problems without making the CA problem harder.

------
gioele
I think people do not understand that the statement "you should always and
only use encryption" is seriously flawed when it comes to protocols used by
millions of applications.

If you are starting a new protocol for a wide audience you cannot just say
"encryption is required". Which encryption protocol will you require? And will
you stick with it forever? Even when it will be broken?

So you want a bit of forward compatibility and you add a version identifier to
wire protocol the or some other form of negotiation. Well done, now you are
opening your self to protocol downgrade attacks. You can try to fight this as
much as you want, but will always be back to square one: support for non-
updated applications: drop them or support them even thou you know there is a
security problem in supporting them?

All the non-public SMTP servers I have used in the last years require the use
of STARTTLS-enabled connections. So they are dropping old clients, but they
can do that because they have a tight control over the "environment" (their
students, their employers, etc). Others do not have this luxury.

~~~
zurn
You have it exactly backwards. If you are designing a new protocol, you do
mandate encryption. Look at eg. recent new Web protocols, they all do it:
WebRTC, WebSockets, SPDY.

Yes, the crypto engineering can be bewildering for non-experts, but it's just
engineering at the end of the day.

In many cases there are defenses against downgrade attacks. There is even hope
for the web browsery scenario (have to be back compatible with SSL + connect
to unknown/untrusted server, same as email): See
[http://tools.ietf.org/html/draft-bmoeller-tls-downgrade-
scsv...](http://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-02)

~~~
gioele
My idea is that mandating encryption and allowing version/cipher negotiation
are more or less the same thing. They are not the same thing, but they lead to
similar conclusions.

What should be the response of a client when a server tells it during the
cipher negotiation that the only cipher that it (the server) can use are those
considered insecure by client?

Should the client proceed for the sake of interoperability? Or should the
client raise and error and say "sorry, no secure connection can be
established"?

Whatever you answer to that question is, why doesn't it apply to STARTTLS As
well? By not allowing STARTTLS, the server has negotiated a set of cipher
(i.e. {NULL-ENC}) that the client considers insecure. What should the client
do? Close the connection? (You can configure your program to do so right now.)
Or continue because you really want to send that email? (This is, sadly, the
current configuration of many applications.)

Back to the original point, I think that the important thing here is not only
to embed secure layers in protocols, but also (and mainly) to convince the
users that it is OK for an application to answer "Sorry, no secure connection
is available. Yes, I could set up an insecure connection, but I will not do
that."

~~~
danudey
_What should be the response of a client when a server tells it during the
cipher negotiation that the only cipher that it (the server) can use are those
considered insecure by client?_

 _Should the client proceed for the sake of interoperability? Or should the
client raise and error and say "sorry, no secure connection can be
established"?_

These are solved problems though; it's not as though this is a new
consideration. This has been a 'problem' since SSL's implementation. If you
can't agree on a cipher spec, you don't connect.

The issue with your argument in particular is that you're basically saying 'we
shouldn't require encryption because it's too complicated to make a few
choices', which implies to me that you think not using encryption is a better
choice (since any TLS implementation requires these issues). Your argument,
then, is an argument against SSL/TLS encryption in any respect, as opposed to
mandatory encryption.

 _Back to the original point, I think that the important thing here is not
only to embed secure layers in protocols, but also (and mainly) to convince
the users that it is OK for an application to answer "Sorry, no secure
connection is available. Yes, I could set up an insecure connection, but I
will not do that."_

This is pretty common; in fact, most software will just say that it can't
connect, with no more detailed explanation unless you dig into it. I've also
had issues where the default configuration for postfix on Ubuntu (STARTLS
enabled, self-signed certificate) is rejected by some clients, requiring me to
disable authentication on those clients (which required a secure connection)
and whitelist their IP addresses (insecure!).

------
allegory
Considering every damn SMTP server out there that talks STARTTLS actually just
accepts any certificate by default including self-signed ones, isn't this
entire point moot?

It prevents casual attackers watching the wire i.e. network taps but doesn't
prevent MITM at all as you can just proxy it with another self signed cert and
it goes through.

I know this because our SMTP gateway does exactly that, transparently with
postfix.

~~~
leni536
_Considering every damn SMTP server out there that talks STARTTLS actually
just accepts any certificate by default including self-signed ones, isn 't
this entire point moot?_

It's not a protocol but an implementation problem.

~~~
crpatino
STARTTLS _is_ and implementation of SSL/TLS protocol

------
leni536
_a poorly-programmed client would fall back to using the protocol without TLS_

This is not a protocol vulnerability though. Poorly written programs cause
problems with any protocol.

~~~
dspillett
I think the implication is that the design of this protocol makes it much
easier to get away with creating bad code, in comparison to the alternative.

------
hadoukenio
> a poorly-programmed client would fall back to using the protocol without TLS

That was the whole point of STARTTLS - to allow a way to start a tunnel but be
backwards compatible to older clients.

The real problem was that they didn't account for MITM attacks.

~~~
gioele
Many applications that support STARTTLS can be configured to require a secure
connection to be in place before sending any data.

~~~
jgillich
Not just applications, servers as well. My Postfix/Dovecot setup does support
unencrypted connections, but will refuse to do authentication if the channel
is not encrypted.

~~~
brongondwana
Which is pointless when the plaintext password has already been sent across
the wire.

------
brongondwana
We wrote pretty much this years ago at FastMail:

[https://www.fastmail.fm/help/technical/ssltlsstarttls.html](https://www.fastmail.fm/help/technical/ssltlsstarttls.html)

All the downgrade and pre-encryption MITM and complexity arguments are
definitely worth repeating though. Straight up SSL is significantly better.

------
inopinatus
Opportunistic encryption between endpoints doesn't necessarily require
STARTTLS. That is merely a current convention. It could change in future, with
the development or invention of some new crypto paradigm. Case in point:
opportunistic IPSEC. Okay that wasn't the answer either, but it is an
alternative in principle, albeit not in practice today for global SMTP.

Point is, I think it's naive and unwise to assume that the crypto
upgrade/wrapper is and always shall be TLS and then to build this assumption
into standards in a manner that isn't future compatible. We are due a great
many innovations in end-to-end crypto over the next few decades. For example,
I'm hoping that new and interesting uses will be found for DANE. Maybe we can
even bring back network-layer opportunistic encryption.

------
jvdh
I am still not convinced by the "encrypt all the SMTP traffic" argument. It
adds more encrypted traffic, but these mails are still decrypted on the mail
servers to inspect them and then to forward them again.

Worse still, most mail servers and programs have no checks whatsoever
regarding certificates of other mail servers or clients. As long as it is able
to crypt and decrypt, it's acceptable. If you're lucky there is some sensible
admin who restricts algorithms.

I'm still worried that this adds too much false sense of security as it is
right now.

~~~
lmm
There will always be misconfigurations, so we will always need ways to detect
and handle them.

Encrypting everything everywhere increases the cost of snooping, which is
good. It's a long way from perfect, but that shouldn't stop us from making an
improvement.

~~~
jvdh
You are not encrypting everything everywhere.

It is putting things in a different envelope for each hop you are doing in the
post.

Yes, it is secured in transit, but there is no way that you can verify that
everything went securely.

~~~
lmm
Sure. But the point stands: it makes snooping more expensive. Is it perfect?
No. Is it better than nothing? Yes.

------
dtech
> To mitigate pervasive monitoring, new protocols should have only secure
> versions.

Isn't this the direction newer protocols are taking? AFAIK HTTP 2.0 is always
encrypted (even if no SSL cert is installed)

For the mentioned protocols: most IMAP and SMTP servers (which enable TLS)
disregard the IETF and allow TLS-on-connect connections on ports 993 and 465
respectively. If the IETF would (again) standardize this the problem would be
reasonably solved.

~~~
hobarrera
>> Isn't this the direction newer protocols are taking? AFAIK HTTP 2.0 is
always encrypted (even if no SSL cert is installed)

Using ad-hoc certificated is as safe as using STARTTLS: a MITM can just put
his own cert (similar to a MITM removing the STARTTLS capability announcement
from the client to the server). It's actually worse, since the client will
think it's communication is safer than it actually is.

~~~
Karunamon
This is a matter of UI design, then. Eventually I'd expect secure sites to be
the default (with broken lock symbols in the URL bar if not), with higher
levels of security carrying something like the secure site symbols we see
today.

Encryption and identity assurance are two different things - you can easily
have the first which makes passive monitoring much more difficult without the
trust infrastructure to mitigate MITMing.

For the average user, knowing what we know now, I'd say the first is a much
more clear and present danger. The second requires a person to actually take
interest in your traffic.

------
mcguire
"Although it's trivial for a properly-programmed client to protect against
this downgrade attack,..."

...that defeats the "use TLS when available" argument.

