Who can save us? It's 2018 and some email is still sent as cleartext

Out of the phone booth comes the IETF in lycra - with the power of STANDARDS!

By Richard Chirgwin


The Internet Engineering Task Force (IETF) has emitted another small advance in its program to protect as much of the Internet as it can, with a request that email systems finish encrypting all their connections.

In RFC 8314, Windrock's Keith Moore and Oracle's Chris Newman explain that there some interactions between email clients and servers still aren't encrypted.

Implementations of protocols like IMAP, POP, and SMTP have supported TLS for years, but often not “in a way that maximises end-user confidentiality”, an RFC penned by the pair said.

For example, there's the enduring but imperfect STARTTLS: it eventually sets up an encrypted channel for passing messages, but only after it uses cleartext communications so the client and server can negotiate capabilities and configuration.

The RFC recommends this be deprecated. Instead, TLS should be negotiated immediately when a connection is initiated, on a separate port, for all protocols between the client and the message transfer agent (MTA). This is referred to as “implicit TLS” in the RFC.

That would apply to IMAP over port 993, POP (port 995), and SMTP Submission (port 465).

Those writing client software (Outlook, Mac Mail, Thunderbird and so on) need to deprecate other connection methods, the RFC says.

Likewise, mail service providers are told to wind up old insecure protocols: “MUAs and Mail Service Providers (MSPs) (a) discourage the use of cleartext protocols for mail access and mail submission and (b) deprecate the use of cleartext protocols for these purposes as soon as practicable”, the RFC says.

“Servers provided by MSPs other than POP, IMAP, and/or Message Submission SHOULD support TLS access and MUST support TLS access for those servers that support authentication via username and password”, it continues.

Port 25 remains in use in too many places, and the authors want that to end: MSPs should transition users at least to STARTTLS (or better, Implicit TLS) as soon as possible.

And, of course, systems and services need to deprecate old encryption and implement at least TLS 1.1 or later. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Net's druids thrash out specs for an independent IETF

This matters because right now there's no formal structure, which makes things tenuous

IETF wants packets to prove where they've been, to improve trust

Virtualisation is creating traffic handoffs that don't depend on physical ports

IETF mulls adding geoblock info to 'Bradbury's code'

Proposal to extend Error 451

Party like it's 1999: Packets of death, code exec menace Cisco gear

Annoying flaws found, patched in Fabric Services, NX-OS, StarOS, VOIP kit

Cisco stre...tches vulnerability disclosure timeline out to 90 days

Big vendors patch bugs nearly as quick as open source coders

April FAIL as IETF's funny-but-dodgy draft doc arrives a week early

Holy Hand Grenade proposes update to RFC 8140 but blows back on the court of King Arthur

Updating Things: IETF bods suggest standard

Proposal offers proper authentication, verification and over-the-air delivery

SoftNAS no longer a soft touch for hackers (for now)... Remote-hijacking vulnerability patched

Your files are someone else's files, too, thanks to storage bug

IETF: GDPR compliance means caring about what's in your logfiles

Don't log too much, nor keep the files for too long, to stay on right side of Euro privacy rules

Cisco NFV controller is a bit too elastic: It has an empty password bug

Critical patch lands for that, UCS Domain Manager flaw, dirty dozen lesser messes fixed