Too bad we didn't stick to our guns in 2003 and insist on two ports instead of one, but STARTTLS was the recommended approach back then...
On 8/11/21 2:13 PM, Philipp Hancke wrote: > tl;dr: its a mess. What is the deployment state of xep-0368? > > Am 11.08.21 um 19:08 schrieb Peter Saint-Andre: >> Perhaps of interest here... >> >> >> -------- Forwarded Message -------- >> Subject: [Uta] STARTTLS vulnerabilities >> Date: Wed, 11 Aug 2021 17:42:40 +0200 >> From: Hanno Böck <ha...@hboeck.de> >> To: u...@ietf.org >> >> Hi, >> >> I wanted to share some research we have done on vulnerabilities in >> STARTTLS implementations: >> https://nostarttls.secvuln.info/ >> >> We started analyzing STARTTLS implementations in E-Mail servers and >> clients based on the 2011 command injection discovered in Postfix. We >> learned that this vulnerability is still very prevalent in current >> servers and that clients suffer from simliar vulnerabilities. We also >> found some IMAP specific vulnerabilities. >> >> Focussing on client-to-server communication our recommendations are >> mostly in line with what this working group has already concluded in >> RFC 8314, which is that implicit TLS on its own port should be >> preferred over STARTTLS. >> >> >> Our research has not focussed on the server-to-server part. Still I >> think particularly the buffering / injection vulnerabilities are >> a concern if one wants to secure s2s communication with mechanisms like >> MTA-STS. I strongly recommend that users of MTA-STS audit their >> STARTTLS implementations for buffering bugs. >> (We found a buffering bug in Yahoo's MX servers, and Yahoo is one of >> the companies driving MTA-STS. I was unable to report this properly to >> Yahoo, I reported it through their Hackerone bugbounty program, but the >> bug triagers were unwilling to try to understand the issue and didn't >> forward it to Yahoo.) >> > _______________________________________________ > Standards mailing list > Info: https://mail.jabber.org/mailman/listinfo/standards > Unsubscribe: standards-unsubscr...@xmpp.org > _______________________________________________ _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________
