[Standards] Fwd: [Uta] STARTTLS vulnerabilities

Peter Saint-Andre stpeter at mozilla.com
Wed Aug 11 20:25:56 UTC 2021


Too bad we didn't stick to our guns in 2003 and insist on two ports
instead of one, but STARTTLS was the recommended approach back then...

On 8/11/21 2:13 PM, Philipp Hancke wrote:
> tl;dr: its a mess. What is the deployment state of xep-0368?
> 
> Am 11.08.21 um 19:08 schrieb Peter Saint-Andre:
>> Perhaps of interest here...
>>
>>
>> -------- Forwarded Message --------
>> Subject: [Uta] STARTTLS vulnerabilities
>> Date: Wed, 11 Aug 2021 17:42:40 +0200
>> From: Hanno Böck <hanno at hboeck.de>
>> To: Uta at ietf.org
>>
>> Hi,
>>
>> I wanted to share some research we have done on vulnerabilities in
>> STARTTLS implementations:
>> https://nostarttls.secvuln.info/
>>
>> We started analyzing STARTTLS implementations in E-Mail servers and
>> clients based on the 2011 command injection discovered in Postfix. We
>> learned that this vulnerability is still very prevalent in current
>> servers and that clients suffer from simliar vulnerabilities. We also
>> found some IMAP specific vulnerabilities.
>>
>> Focussing on client-to-server communication our recommendations are
>> mostly in line with what this working group has already concluded in
>> RFC 8314, which is that implicit TLS on its own port should be
>> preferred over STARTTLS.
>>
>>
>> Our research has not focussed on the server-to-server part. Still I
>> think particularly the buffering / injection vulnerabilities are
>> a concern if one wants to secure s2s communication with mechanisms like
>> MTA-STS. I strongly recommend that users of MTA-STS audit their
>> STARTTLS implementations for buffering bugs.
>> (We found a buffering bug in Yahoo's MX servers, and Yahoo is one of
>> the companies driving MTA-STS. I was unable to report this properly to
>> Yahoo, I reported it through their Hackerone bugbounty program, but the
>> bug triagers were unwilling to try to understand the issue and didn't
>> forward it to Yahoo.)
>>
> _______________________________________________
> Standards mailing list
> Info: https://mail.jabber.org/mailman/listinfo/standards
> Unsubscribe: Standards-unsubscribe at xmpp.org
> _______________________________________________


More information about the Standards mailing list