The American civil rights organization Electronic Frontier Foundation has announced the Starttls Everywhere project. This is aimed at email server administrators, who can use associated tools to configure starttls so that emails are encrypted between servers.
In an announcement of the initiative, the EFF states that the adoption of starttls is now at 89 percent, compared to 39 percent five years ago. That would not alter the fact that there are problems with the technique, which allows traffic between mail servers to pass over an encrypted connection. So there is no end-to-end encryption. The first problem, according to the organization, is that hardly anyone checks certificates, which in turn leads to few certificates being offered. As a result, an active attacker can still intercept traffic, for example.
The second problem is that even if a valid certificate is used, it is still possible to perform a downgrade attack. Starttls ensures that two servers agree to use a secure TLS connection, but that first ‘appointment’ is unencrypted, according to the EFF. This would allow an attacker to pretend that neither server supports starttls. The organization discusses the techniques DANE and MTA-STS, which should provide a solution for this, but comes to the conclusion that they are not sufficient. For example, DANE can be used to indicate that a particular domain supports encrypted connections, but that is dependent on dnssec, which again has a low adoption rate.
The EFF aims to address these issues with its Starttls Everywhere project. As a first step, Postfix administrators can use a Certbot plugin to generate valid certificates for their mail server. Some will know Certbot from Let’s Encrypt, which the EFF is also involved in. Plugins for Dovecot and Sendmail are still under development. The organization then wants to tackle downgrade attacks by hosting a so-called policy list, which contains mail servers that use starttls. Administrators can add their server to the list through the project’s site; organizations like Gmail and Outlook are already on it. The site also allows users to check their email domain for security.