No Need for Black Chambers: Testing TLS in the E-mail Ecosystem at Large

TLS is the most widely used cryptographic protocol on the Internet today. While multiple recent studies focused on its use in HTTPS and the adoption rate of additional security measures over time, the usage of TLS in e-mail-related protocols is still lacking detailed insights. End-to-end encryption mechanisms like PGP are seldomly used, and as such today's confidentiality in the e-mail ecosystem is based entirely on the encryption of the transport layer. However, a large fraction of e-mails is still transmitted unencrypted, which is highly disproportionate with the sensitive nature of e-mail communication content. A well-positioned attacker may be able to intercept plaintext communication content as well as communication metadata passively and at ease. We are the first to collect and analyze the complete state of today's e-mail-related TLS configuration, for the entire IPv4 address range. Our methodology is based on commodity hardware and open-source software, and we draw a comprehensive picture of the current state of security mechanisms on the transport layer for e-mail by scanning cipher suite support which was previously considered impossible due to numerous constraints. We collected and scanned a massive dataset of 20 million IP/port combinations of all e-mail-related protocols (SMTP, POP3, IMAP). Over a time span of approx. Three months we conducted more than 10 billion TLS handshakes. Additionally, we show that securing server-to-server communication using e.g. SMTP is inherently more difficult than securing client-to-server communication, and that while the overall trend points in the right direction there are still many steps needed towards secure e-mail.

[1]  Vitaly Shmatikov,et al.  Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations , 2014, 2014 IEEE Symposium on Security and Privacy.

[2]  Arjen K. Lenstra,et al.  Ron was wrong, Whit is right , 2012, IACR Cryptol. ePrint Arch..

[3]  Pete Chown,et al.  Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS) , 2002, RFC.

[4]  Alfredo Pironti,et al.  Formal verification of security protocol implementations: a survey , 2012, Formal Aspects of Computing.

[5]  Georg Carle,et al.  The SSL landscape: a thorough analysis of the x.509 PKI using active and passive measurements , 2011, IMC '11.

[6]  A Dainotti,et al.  Analysis of a “/0” Stealth Scan From a Botnet , 2012, IEEE/ACM Transactions on Networking.

[7]  Hovav Shacham,et al.  When private keys are public: results from the 2008 Debian OpenSSL vulnerability , 2009, IMC '09.

[8]  Paul E. Hoffman,et al.  SMTP Service Extension for Secure SMTP over Transport Layer Security , 2002, RFC.

[9]  Chris Newman,et al.  Using TLS with IMAP, POP3 and ACAP , 1999, RFC.

[10]  Mark R. Crispin Internet Message Access Protocol - Version 4rev1 , 1996, RFC.

[11]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[12]  Robin Sommer,et al.  Extracting Certificates from Live Traffic : A Near Real Time SSL Notary Service , 2012 .

[13]  Tobias Lauinger,et al.  Why Is CSP Failing? Trends and Challenges in CSP Adoption , 2014, RAID.

[14]  Ralph Holz Recommendations for Secure Use of TLS and DTLS , 2014 .

[15]  Joyce K. Reynolds Post Office Protocol , 1984, RFC.

[16]  T. Dierks,et al.  The TLS protocol , 1999 .

[17]  Mark R. Crispin,et al.  Internet Message Access Protocol - Version 4 , 1994, RFC.

[18]  J. Alex Halderman,et al.  A Search Engine Backed by Internet-Wide Scanning , 2015, CCS.

[19]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[20]  Mohamed Ali Kâafar,et al.  TLS in the Wild: An Internet-wide Analysis of TLS-based Protocols for Electronic Communication , 2015, NDSS.

[21]  Marshall T. Rose,et al.  Post Office Protocol: Version 3 , 1988, RFC.

[22]  NEAL HARRIS BREACH : REVIVING THE CRIME ATTACK , 2013 .

[23]  Andrei Popov,et al.  Prohibiting RC4 Cipher Suites , 2015, RFC.

[24]  Sid Stamm,et al.  Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL , 2010 .

[25]  Ramesh Govindan,et al.  Census and survey of the visible internet , 2008, IMC '08.

[26]  Peter Sewell,et al.  Not-quite-so-broken TLS: lessons in re-engineering a security protocol specification and implementation , 2015 .

[27]  J. Alex Halderman,et al.  Analysis of the HTTPS certificate ecosystem , 2013, Internet Measurement Conference.

[28]  Jeff Hodges,et al.  HTTP Strict Transport Security (HSTS) , 2012, RFC.

[29]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[30]  Viktor Dukhovni,et al.  Opportunistic Security: Some Protection Most of the Time , 2014, RFC.

[31]  Chris Palmer,et al.  Public Key Pinning Extension for HTTP , 2015, RFC.

[32]  John C. Klensin,et al.  Simple Mail Transfer Protocol , 2001, RFC.

[33]  Joseph Bonneau,et al.  Upgrading HTTPS in mid-air: An empirical study of strict transport security and key pinning , 2015, NDSS.

[34]  Bodo Möller,et al.  This POODLE Bites: Exploiting The SSL 3.0 Fallback , 2014 .

[35]  Mark R. Crispin,et al.  Internet Message Access Protocol - Version 4rev1 , 1994, RFC.

[36]  Matthew Green,et al.  Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice , 2015, CCS.

[37]  Stefan Savage,et al.  Security by Any Other Name: On the Effectiveness of Provider Based Email Security , 2015, CCS.

[38]  Georg Carle,et al.  X.509 Forensics: Detecting and Localising the SSL/TLS Men-in-the-Middle , 2012, ESORICS.

[39]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[40]  Erik Tews,et al.  Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks , 2014, USENIX Security Symposium.

[41]  Alfredo Pironti,et al.  A Messy State of the Union: Taming the Composite State Machines of TLS , 2015, 2015 IEEE Symposium on Security and Privacy.

[42]  Bodo Möller,et al.  Network Working Group Elliptic Curve Cryptography (ecc) Cipher Suites for Transport Layer Security (tls) , 2006 .

[43]  Robin Sommer,et al.  Revisiting SSL : A Large-Scale Study of the Internet ' s Most Trusted Protocol , 2012 .

[44]  J. Alex Halderman,et al.  Neither Snow Nor Rain Nor MITM...: An Empirical Analysis of Email Delivery Security , 2015, Internet Measurement Conference.

[45]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[46]  Ralph Holz Summarizing known attacks on TLS and DTLS , 2015 .

[47]  Jeremy Clark,et al.  2013 IEEE Symposium on Security and Privacy SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements , 2022 .

[48]  Antonio Pescapè,et al.  Analysis of a "/0" stealth scan from a botnet , 2015, TNET.

[49]  Eric Wustrow,et al.  Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices , 2012, USENIX Security Symposium.

[50]  Matthew Smith,et al.  Rethinking SSL development in an appified world , 2013, CCS.

[51]  Alfredo Pironti,et al.  Implementing TLS with Verified Cryptographic Security , 2013, 2013 IEEE Symposium on Security and Privacy.

[52]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[53]  Mingyan Liu,et al.  On the Mismanagement and Maliciousness of Networks , 2014, NDSS.

[54]  Paul E. Hoffman,et al.  The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA , 2012, RFC.

[55]  Peter Sewell,et al.  Not-Quite-So-Broken TLS: Lessons in Re-Engineering a Security Protocol Specification and Implementation , 2015, USENIX Security Symposium.

[56]  Dan Boneh,et al.  An Experimental Study of TLS Forward Secrecy Deployments , 2014, IEEE Internet Computing.

[57]  Erich M. Nahum,et al.  Cryptographic strength of ssl/tls servers: current and recent practices , 2007, IMC '07.

[58]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[59]  J. Alex Halderman,et al.  An Internet-Wide View of Internet-Wide Scanning , 2014, USENIX Security Symposium.

[60]  Marshall T. Rose,et al.  Post Office Protocol - Version 3 , 1988, RFC.

[61]  Kenneth G. Paterson,et al.  On the Security of RC4 in TLS , 2013, USENIX Security Symposium.

[62]  Stephen T. Kent,et al.  Additional Diffie-Hellman Groups for Use with IETF Standards , 2008, RFC.

[63]  Randall Gellens,et al.  Message Submission for Mail , 2006, RFC.

[64]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[65]  V. N. Venkatakrishnan,et al.  Vetting SSL Usage in Applications with SSLINT , 2015, 2015 IEEE Symposium on Security and Privacy.