On the Sorry State of E-Mail Security

You're browsing without Javascript! If you have no idea what that means, you should ask your technical friend about it.
Otherwise - kudos. The website should work - with the exception of comments. You can learn what they are; however, by visiting /comments.py?postid=blog-no_email_security
If it doesn't, please contact me and let me know.

20 May 2012 23:34 EST

Something I've been interested in for the past few months is SSL/TLS, and in particular looking at undetectable attacks.

Censorship is detectable. You know you're being censored. Censorship always implies passive network tapping - the entity has to perform the tap to do the censorship. And censorship itself is an active attack - the entity blocks you from visiting the website.

But passive attacks are usually undetectable from the user's perspective. If a network is being tapped - either a corporate network, or the national backbone - you usually have no way of learning this. We have a pretty good idea that the NSA is tapping large swaths of the Internet, but because it's just whistleblowers it's not considered credible proof. The Swedish version however is well documented.

But active attacks aren't always detectable either. If Chrome didn't have cert pinning, who knows how long DigiNotar would have been undetected. If a CA is compromised, we won't be able to detect an attack. Bugs can bypass certificate validity checking too. It's a dangerous type of client bug that allows undetectable MITM, but we've seen them. And if a client isn't checking for the validity of a certificate, an attacker doesn't need a bug or CA compromise, they can just perform a MITM with a self-signed certificate.

When we think of "SSL clients" we think of web browsers. Sometimes email uses SSL too. Not always. When it doesn't, it's obviously easy to tap and read. But when it does, it's not much better.

Your individual client - Outlook or Thunderbird will require a valid certificate if it's configured to use SSL. But there's more to it than that. Without going into too much detail, Outlook is a Mail User Agent (MUA), and it talks to a Mail Transfer Agent (MTA). When you send an email, your MUA transfers it to a MTA, and the MTA transfers it to another MTA. That MTA-to-MTA transfer is rarely protected by SSL. When it is protected it rarely has a valid certificate. Even if it does have a valid certificate, it's almost never that a MTA requires a valid certificate.

The end result of this is that our entire email infrastructure is vulnerable to passive eavesdropping and undetectable active attacks. We have statistics. And we have examples. You can use the very awesome CheckTLS.com to run some tests on different mail servers. I ran a few tests myself:

Valid SSL Certificate
- Paypal
- Wells Fargo
- Bank of America
- PNC Bank
- StartSSL
- GeoTrust
- Thawte
- Visa
- VMWare
Has Invalid SSL Certificate

Google/Gmail, including Twitter and Github
Google Voice e.g. txt.voice.google.com
Youtube - bad wildcard
J.P. Morgan Chase
Citibank
ING Direct
Amazon
Tor Project (self-signed)
EFF (For a strange reason..)
Comodo (For a strange reason..)
Digicert (For a strange reason..)

Has no SSL Certificate

Hotmail
Yahoo
Facebook
Mail.com
Live
Mint.com
Discover Card
Entrust

There's no ubiquitous e-mail encryption (S/MIME or PGP), there's no requirement for a valid SSL certificate (for what it's worth), and there's no requirement for SSL at all. And there's no global plan for fixing it either. Yet.

Footnotes:

OONI, or the Open Observatory of Network Interference, was introduced at RECon 2011 (video of talk) and is a tool to detect surveillance and censorship in the world.

Even though Outlook and Thunderbird will require a valid CA-signed certificate if they're configured to use SSL, there's no Cert Patrol or Convergence for a mail client, so you'd never detect a CA compromise.

Comments

/comments.py?postid=blog-no_email_security

Add a comment...

Name: required
E-Mail: required, hidden, gravatared
Website:
Comment: required, markdown enabled (help)

you type:	you see:
italics	italics
bold	bold
[stolen from reddit!](http://reddit.com)	stolen from reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"