IETF Logo Mail Archive

Re: [TLS] The risk of misconfiguration

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 14 May 2014 10:01 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D06591A0299 for <tls@ietfa.amsl.com>; Wed, 14 May 2014 03:01:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hgl2A5ez4L_O for <tls@ietfa.amsl.com>; Wed, 14 May 2014 03:01:42 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id EECB91A0286 for <tls@ietf.org>; Wed, 14 May 2014 03:01:41 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 252D3BE6E; Wed, 14 May 2014 11:01:35 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cyHGxA9Tf8mV; Wed, 14 May 2014 11:01:35 +0100 (IST)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 07FA5BE63; Wed, 14 May 2014 11:01:35 +0100 (IST)
Message-ID: <53733EFF.4010000@cs.tcd.ie>
Date: Wed, 14 May 2014 11:01:35 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: tls@ietf.org
References: <53692FC2.1060009@akr.io> <20140506221344.GB27883@mournblade.imrryr.org> <536977E3.3000608@akr.io> <20140507002452.GH27883@mournblade.imrryr.org> <CACsn0ck5UtC9T1ktgAiWimWAxBPNoANfOEB8MOF9CfQLCMgSHw@mail.gmail.com> <20140507020023.GI27883@mournblade.imrryr.org> <CACsn0c=GqGGTs1maA-hkA641mvnuOy+pgT6imhuA+kpP5eX+pQ@mail.gmail.com> <20140507035957.GM27883@mournblade.imrryr.org> <CACsn0ckkOORzh2v-n2K=fHuoJtg8g1ykNHbCbybYp78pUceTfw@mail.gmail.com> <20140507055835.GN27883@mournblade.imrryr.org> <20140514022221.GE27883@mournblade.imrryr.org>
In-Reply-To: <20140514022221.GE27883@mournblade.imrryr.org>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/svBskV1RaBZkm0hZkV-BytaSRRA
Cc: "Murray S. Kucherawy" <superuser@gmail.com>
Subject: Re: [TLS] The risk of misconfiguration
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 May 2014 10:01:47 -0000

Good stuff. And thanks to FB for measuring and making this
public, be great if they wanted to do this now and then to
see how what trends emerge and/or if others did similarly.

S.

On 14/05/14 03:22, Viktor Dukhovni wrote:
> On Wed, May 07, 2014 at 05:58:35AM +0000, Viktor Dukhovni wrote:
> 
>>> Ask someone "When you send email to someone, who can
>>> read it?".
>>
>> We're talking about TLS in SMTP not who can or can't read stored
>> email.  Whether the man in the street knows it or not, a substantial
>> fraction (estimated 20% and growing) of email traffic is encrypted
>> in transit, just because both ends can simply turn on STARTTLS.
>> I bet this fraction is larger than the fraction of HTTP traffic
>> that is protected inside HTTPS.
> 
> Right on queue:
> 
>     https://www.facebook.com/notes/protect-the-graph/the-current-state-of-smtp-starttls-deployment/1453015901605223
> 
> I was fairly sure my number of 20% was conservative, now Facebook
> measures it at 58%:
> 
>     We found that 76% of unique MX hostnames that receive our emails
>     support STARTTLS. As a result, 58% of notification emails are
>     successfully encrypted. Additionally, certificate validation
>     passes for about half of the encrypted email, and the other
>     half is opportunistically encrypted. 74% of hosts that support
>     STARTTLS also provide Perfect Forward Secrecy.
> 
> It is perhaps time to retire the belief that TLS for email is in
> a "sad state".  Of course it would be nice to also have authentication,
> but for that we need DNSSEC deployment and publication of TLSA RRs.
> 
> An ISP (posteo.de) deployed the first email transport authentication
> "fax-machine" this week:
> 
>     http://www.heise.de/newsticker/meldung/Verschluesselter-Mail-Transport-Posteo-setzt-als-erster-Provider-DANE-ein-2187144.html
> 
> they can now deliver email securely to debian.org, and any day now
> ietf.org, plus a smattering of smaller domains operated by individual
> DANE early adopters (welcome to the club Alyssa).
>

v2.23.0 | Report a Bug | By Email