Google, Microsoft and Yahoo want to make email resistant to MITM attacks

In the era of Apple vs FBI and large-scale hacking on a regular basis, many people are beginning to realize that our data are not so well protected as they should be. Google, Amazon, Facebook, Microsoft and many other technological giants teamed up to improve the safety of e-mail traffic, which is available on the network.

Developers of programs for these companies decided to work together to create a new system, which is called SMTP Strict Transport Security. This mechanism allows email providers to define new rules for the creation of encrypted email-connections.

The new technology is mandatory because security standards for email have not changed for many years, as a result, many email is not encrypted and open to Mitm attacks related to the interception of email and change their content in the transmission to the desired destination. When email first came, he was using the SMTP protocol, which does not have built-in encryption. In 2002 was issued the STARTTLS extension, which offered support for TLS encryption for SMTP-connections.

According to research by the company behind the creation of the protocol, one of the main problems with the standard is the fact that if the sending of emails to be held with any problems, a mail will be sent unencrypted by default. STARTTLS is also using opportunistic encryption, ie, it does not verify the digital certificate of the server. If it cannot check the server correctly, he believes that sending emails is better than nothing.

This leads to problems with Mitm vulnerability, a hacker can intercept traffic by providing any certificate, even a self-signed. This allows the hacker to decrypt the email, and receive all encrypted emails.

SMTP Strict Transport Security solves this problem. The new protocol is designed to prevent the sending of an email, if a message cannot be sent securely. It also allows you to make sure that the email certificate is a valid; in the case of incorrect certificate email will not be sent, and the sender receives a notification about why the message was not sent.

If this proposal is approved, we will get a more secure email.

Posted in Vulnerabilities Tagged with: , , , , ,

All about SSL

This site is dedicated to SSL-certificates. You will learn what is an SSL certificate, how to issue and reissue it. FAQ SSL will be useful for both novices and pros. SSL Knowledgebase contains sections on validation, trust logo, vulnerabilities, SSL-certificates differences by type (Wildcard, EV, DV, etc.), as well as many other things.