Who can save us? It's 2018 and some email is still sent as cleartext

Out of the phone booth comes the IETF in lycra - with the power of STANDARDS!

By Richard Chirgwin

Posted in Security, 1st February 2018 07:26 GMT

The Internet Engineering Task Force (IETF) has emitted another small advance in its program to protect as much of the Internet as it can, with a request that email systems finish encrypting all their connections.

In RFC 8314, Windrock's Keith Moore and Oracle's Chris Newman explain that there some interactions between email clients and servers still aren't encrypted.

Implementations of protocols like IMAP, POP, and SMTP have supported TLS for years, but often not “in a way that maximises end-user confidentiality”, an RFC penned by the pair said.

For example, there's the enduring but imperfect STARTTLS: it eventually sets up an encrypted channel for passing messages, but only after it uses cleartext communications so the client and server can negotiate capabilities and configuration.

The RFC recommends this be deprecated. Instead, TLS should be negotiated immediately when a connection is initiated, on a separate port, for all protocols between the client and the message transfer agent (MTA). This is referred to as “implicit TLS” in the RFC.

That would apply to IMAP over port 993, POP (port 995), and SMTP Submission (port 465).

Those writing client software (Outlook, Mac Mail, Thunderbird and so on) need to deprecate other connection methods, the RFC says.

Likewise, mail service providers are told to wind up old insecure protocols: “MUAs and Mail Service Providers (MSPs) (a) discourage the use of cleartext protocols for mail access and mail submission and (b) deprecate the use of cleartext protocols for these purposes as soon as practicable”, the RFC says.

“Servers provided by MSPs other than POP, IMAP, and/or Message Submission SHOULD support TLS access and MUST support TLS access for those servers that support authentication via username and password”, it continues.

Port 25 remains in use in too many places, and the authors want that to end: MSPs should transition users at least to STARTTLS (or better, Implicit TLS) as soon as possible.

And, of course, systems and services need to deprecate old encryption and implement at least TLS 1.1 or later. ®

Sign up to our NewsletterGet IT in your inbox daily

71 Comments

More from The Register

IETF mulls adding geoblock info to 'Bradbury's code'

Proposal to extend Error 451

IETF: GDPR compliance means caring about what's in your logfiles

Don't log too much, nor keep the files for too long, to stay on right side of Euro privacy rules

April FAIL as IETF's funny-but-dodgy draft doc arrives a week early

Holy Hand Grenade proposes update to RFC 8140 but blows back on the court of King Arthur

Updating Things: IETF bods suggest standard

Proposal offers proper authentication, verification and over-the-air delivery

IETF moves meeting from USA to Canada to dodge Trump travel ban

15 per cent of potential attendees don't fancy trying to make it to San Francisco

SSL spy boxes on your network getting you down? But wait, here's an IETF draft to fix that

TLS over HTTP? Yes please, says every sysadmin, netizen

Cisco to trial direct online sales

Australia the 'vanguard', perhaps with new smallbiz products to make it sensible

UKFast bit barn yarn: 'Cisco switch glitch' leads to service ditch

Updated CEO awaits technical report

Sigh. Cisco security kit has Java deserialisation bug and a default password SNAFU

Two critical vulnerabilities among 20 patches

IETF doc seeks reliable vSwitch benchmark

Once switches become just another function to spawn, you'll need to know how they'll fare