[Standards] Fwd: [Uta] STARTTLS vulnerabilities

Philipp Hancke fippo at goodadvice.pages.de
Wed Aug 11 20:13:12 UTC 2021


tl;dr: its a mess. What is the deployment state of xep-0368?

Am 11.08.21 um 19:08 schrieb Peter Saint-Andre:
> Perhaps of interest here...
> 
> 
> -------- Forwarded Message --------
> Subject: [Uta] STARTTLS vulnerabilities
> Date: Wed, 11 Aug 2021 17:42:40 +0200
> From: Hanno Böck <hanno at hboeck.de>
> To: Uta at ietf.org
> 
> Hi,
> 
> I wanted to share some research we have done on vulnerabilities in
> STARTTLS implementations:
> https://nostarttls.secvuln.info/
> 
> We started analyzing STARTTLS implementations in E-Mail servers and
> clients based on the 2011 command injection discovered in Postfix. We
> learned that this vulnerability is still very prevalent in current
> servers and that clients suffer from simliar vulnerabilities. We also
> found some IMAP specific vulnerabilities.
> 
> Focussing on client-to-server communication our recommendations are
> mostly in line with what this working group has already concluded in
> RFC 8314, which is that implicit TLS on its own port should be
> preferred over STARTTLS.
> 
> 
> Our research has not focussed on the server-to-server part. Still I
> think particularly the buffering / injection vulnerabilities are
> a concern if one wants to secure s2s communication with mechanisms like
> MTA-STS. I strongly recommend that users of MTA-STS audit their
> STARTTLS implementations for buffering bugs.
> (We found a buffering bug in Yahoo's MX servers, and Yahoo is one of
> the companies driving MTA-STS. I was unable to report this properly to
> Yahoo, I reported it through their Hackerone bugbounty program, but the
> bug triagers were unwilling to try to understand the issue and didn't
> forward it to Yahoo.)
> 


More information about the Standards mailing list