SMTP Downgrade Attacks and MTA-STS
In this post, I audit several prominent mail providers to discover how they handle email encryption and show how MTA-STS can help improve email security.
When SMTP was created it was cleartext only, as we hadn’t yet figured out transport layer security (TLS). When TLS was finally ready, we needed a way to phase TLS in. STARTTLS was created and offered opportunistic encryption. Basically, a mail sender could ask the destination mail server: “Do you support encryption?” If the reply was positive, then a TLS session would be established using the certificate the server provided. If not, then a cleartext SMTP session would be used.
Anyone who’s studied network security will see a problem here. An active attacker-in-the-middle (AitM) can inject their own response, claiming that encryption isn’t supported and tricking the sender into using cleartext, and allowing the attacker to eavesdrop on the message. This is a classic downgrade attack.
Even when the receiving mail server presents a TLS certificate, troubles abound. Consider the options a sending mail server has when it is presented with a TLS certificate it doesn’t trust. Maybe the hostname doesn’t match, it’s expired, or it’s signed by an unknown certificate authority (CA).
