Security

Who can save us? It's 2018 and some email is still sent as cleartext

Out of the phone booth comes the IETF in lycra - with the power of STANDARDS!

By Richard Chirgwin

71 SHARE

The Internet Engineering Task Force (IETF) has emitted another small advance in its program to protect as much of the Internet as it can, with a request that email systems finish encrypting all their connections.

In RFC 8314, Windrock's Keith Moore and Oracle's Chris Newman explain that there some interactions between email clients and servers still aren't encrypted.

Implementations of protocols like IMAP, POP, and SMTP have supported TLS for years, but often not “in a way that maximises end-user confidentiality”, an RFC penned by the pair said.

For example, there's the enduring but imperfect STARTTLS: it eventually sets up an encrypted channel for passing messages, but only after it uses cleartext communications so the client and server can negotiate capabilities and configuration.

The RFC recommends this be deprecated. Instead, TLS should be negotiated immediately when a connection is initiated, on a separate port, for all protocols between the client and the message transfer agent (MTA). This is referred to as “implicit TLS” in the RFC.

That would apply to IMAP over port 993, POP (port 995), and SMTP Submission (port 465).

Those writing client software (Outlook, Mac Mail, Thunderbird and so on) need to deprecate other connection methods, the RFC says.

Likewise, mail service providers are told to wind up old insecure protocols: “MUAs and Mail Service Providers (MSPs) (a) discourage the use of cleartext protocols for mail access and mail submission and (b) deprecate the use of cleartext protocols for these purposes as soon as practicable”, the RFC says.

“Servers provided by MSPs other than POP, IMAP, and/or Message Submission SHOULD support TLS access and MUST support TLS access for those servers that support authentication via username and password”, it continues.

Port 25 remains in use in too many places, and the authors want that to end: MSPs should transition users at least to STARTTLS (or better, Implicit TLS) as soon as possible.

And, of course, systems and services need to deprecate old encryption and implement at least TLS 1.1 or later. ®

Sign up to our NewsletterGet IT in your inbox daily

71 Comments

More from The Register

Net's druids thrash out specs for an independent IETF

This matters because right now there's no formal structure, which makes things tenuous

IETF wants packets to prove where they've been, to improve trust

Virtualisation is creating traffic handoffs that don't depend on physical ports

IETF mulls adding geoblock info to 'Bradbury's code'

Proposal to extend Error 451

Tasty news bytes from networking land: Route security, Cisco cert death, ETSI and more

Roundup Oh, and IETF standards got sloshed this week

Cisco patches yet another Data Centre Network Manager vuln

Good news is that it was just a proof of concept... we hope

Updating Things: IETF bods suggest standard

Proposal offers proper authentication, verification and over-the-air delivery

Cisco and AWS hop into bed for steamy hybrid Kubernetes action

Mixing up on-premises and cloudy containers

April FAIL as IETF's funny-but-dodgy draft doc arrives a week early

Holy Hand Grenade proposes update to RFC 8140 but blows back on the court of King Arthur

Cisco sneaks hardcoded secret root backdoor into vid surveillance kit

Who watches the watchers? Anybody who has the login

IETF: GDPR compliance means caring about what's in your logfiles

Don't log too much, nor keep the files for too long, to stay on right side of Euro privacy rules