According to the posted draft, “SMTP STS is a mechanism enabling mail service providers to declare their ability to receive TLS-secured connections, to declare particular methods for certificate validation, and to request sending SMTP servers to report upon and/or refuse to deliver messages that can not be delivered securely”.
Advertisement
The proposal for the system has been sent to the Internet Engineering Task Force, and can be found in full here. One of the main problems with the STARTTLS extension is that if anything goes wrong with sending an email while on its way, it gets sent unencrypted by default. So, representatives of the world’s biggest e-mail service providers have united to improve the security of e-mail traffic. The new system would detect the domain you are sending to supports SMTP STS and would double check that the certificate is authentic and crucially, up to date. During 2002, an extension STARTTLS was added to upgrade the unencrypted emails to encrypted ones. By August that same year, the rate jumped to 95 percent. This results to the MIM vulnerability that enables an attacker to intercept traffic by presenting any certificate.
STMP STS will allow the two servers engaged in email exchanges to cryptographically validate each other, and decide in a secure manner, which is externally tamper-proof, if they should use encryption, if encryption is supported, and what should they do if it’s not. In theory, this would prevent the message from being intercepted by a malicious server along the way to its destination, thus blocking attempted man-in-the-middle attacks.
“SMTP STS will work alongside SMTP STARTTLS to strengthen SMTP and to avoid SSL/TLS downgrades and MitM attacks, just like HSTS works alongside HTTPS to strengthen HTTP”.
Advertisement
According to Google’s latest data, 83 percent of email messages sent by Gmail users to other email providers from around the world are encrypted, but only 69 percent of incoming emails from other providers are received over an encrypted channel. Email has been a particularly troublesome medium to encrypt. This group is open to IT Leaders, MIS & IT Managers, Network & Infrastructure Managers who share insights, discuss challenges & wins and keep abreast of cutting edge technologies.
