SSL or Secure Sockets Layer is protocol designed to provide a secure way of transmitting information between computer systems. Originally created by Netscape and released publicly as SSLv2 in 1995 and updated to SSLv3 in 1996. TLS or Transport Layer Security was created in 1999 as a replacement for SSLv3. TLS and SSL are most commonly used to create a secure (encrypted) connection between your web browser and websites so that you can transmit sensitive information like login credentials, passwords, and credit card numbers.
M3AAWG published a initial recommendation that urges the disabling of all versions of SSL. It has been a rough year for encryption security, first with Heartbleed vulnerability with the OpenSSL library, and again with POODLE which stands for “Padding Oracle on Downgraded Legacy Encryption” that was discovered by Google security researchers in October of 2014. On December 8, 2014 it was reported that TLS implementations are also vulnerable to POODLE attack, however unlike SSLv3, TLS can be patched where as SSL 3.0 has a fundamental issue with the protocol.
Due to a number of known security issues with SSLv2 and SSLv3, M3AAWG urges the industry to disable all versions of SSL.
M3AAWG are not the only ones calling to leave SSL behind, Firefox disabled all versions of SSL in Firefox 34, Microsoft will disable fallback to SSL 3 in IE11 starting in February 2015 and Apple’s Safari OSX 10.8 and iOS 8.1 have removed all support for SSLv3.
As more mailbox providers enable TLS encryption, it will protect emails in transit from eavesdropping. M3AAWG recommends starting with TLS version 1.2 for mail servers.
RSS - Posts
Any word on statistics and diagnostics tools, e.g. like what ssllabs does for web servers?
I had a brief talk with Ivan Ristic of qualys fame, he wants to do something for e-mails too, but it will be a while. in the interim, how well do MTAs do certificate validation, CRL handling and all the really hard stuff that TLS takes to be adequately secure?
any recommendations on starttls stripping (https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks) ?
the e-mail community seems to have lots to go on when it comes to security…
http://www.checktls.com/ is a resource for checking if a mailbox provider supports TLS and Google published their Transparency Report last week https://www.google.com/transparencyreport/saferemail/
Regarding STARTTLS stripping, the more noise people make about it being unacceptable to the FCC the better, however there are incentives for the mailbox providers to strip the encryption. Steve posted last month https://wordtothewise.com/2014/11/starttls-misplaced-outrage/ about how the STARTTLS stripping was not done by the ISP but rather a misconfigured Cisco PIX device.