Monday, March 21, 2016

pcappdate. A group of independent security researchers and major Silicon Valley tech giants have submitted last Friday, March 18, 2016, a proposal for a new email protocol called SMTP STS (Strict Transport Security).

STMP has never been a secure protocol, mainly because at the moment it was invented, in 1982, online surveillance wasn't such a big problem between the few thousands of Internet-connected computers in existence at that time.

As the Web developed, and as cyber-criminals and nation-state hackers started to rear their ugly head, tech companies came up with the STARTTLS extension to the SMTP protocol, as a method of using encrypted channels to send email messages.

Unfortunately, STARTTLS was never as secure as originally intended, mainly due to a series of design flaws that allowed attackers to spoof opposing servers and tell the sender that his counterpart doesn't support encryption and that they should just send data across plaintext, as usual.

It's exactly this hole security researchers are currently trying to plug with this new extension to the SMTP protocol named STS, or Strict Transport Security.

SMTP STS is to SMTP what HSTS is to HTTPS
In theory, this new extension looks like the HSTS (HTTP Strict Transport Security) extension to HTTPS. Just like HSTS, SMTP STS brings message confidentiality and server authenticity to the process of starting an encrypted email communications channel, just like HSTS works alongside HTTPS to avoid SSL/TLS downgrades and MitM attacks.

STMP STS will allow the two servers engaged in email exchanges to cryptographically validate each other, and decide in a secure manner, which is externally tamper-proof, if they should use encryption, if encryption is supported, and what should they do if it's not.

The biggest names on the contributors list include Microsoft, Google, Yahoo, LinkedIn, and Comcast. Currently, the proposal is only a draft specification at the IEEE (Internet Engineering Task Force), but judging that so many big companies have put their name behind the submission, the chances are that we'll see it as an official specification pretty soon.

Last year, Oracle also submitted a similar proposal called DEEP (Deployable Enhanced Email Privacy).


Popular Posts