Secure email transport (STARTTLS and DANE)
STARTTLS and DANE
Originally, email messaging was developed without security in mind. Messages were exchanged in plain text (as if it were a postcard). The standard protocols for retrieving and sending email, such as POP, IMAP and SMTP, were already in place well before encryption technology was introduced.
Since then, email providers and technical engineers have been playing catch up. Protocols such as STARTTLS and DANE were developed and introduced. Still today, Google reports about 10% of email is being transferred unencrypted.
To make sure 100% of all email correspondence is encrypted during transit, the cooperation of all online mail providers is required.
What is STARTTLS?
STARTTLS is a protocol that upgrades an existing unencrypted connection to an encrypted one so that email messages during transit are protected from being spoofed on. STARTTLS should not be confused with TLS (see ….) which is the actual encryption technology. (Thanks for information provided by Fastmail https://www.fastmail.help/hc/en-us/articles/360058753834-SSL-TLS-and-STARTTLS)
STARTTLS has a weakness which is that it is so-called opportunistic. This means encryption is only used after it’s been negotiated between sending and receiving servers over an unencrypted connection. This makes it relatively easy for cybercriminals to circumvent the usage of encryption and transfer emails over an unencrypted connection.
What is DANE?
There is another weakness. SMTP servers, those for sending emails, do not validate the authenticity of another mail server’s certificate; any certificate is accepted. This again makes it relatively easy for cybercriminals to manipulate email transport.
The DANE protocol addresses this issue. DNS-based Authentication of Named Entities (DANE) allows SMTP servers to establish encrypted TLS connections without the disadvantages of STARTTLS. DANE is used to ensure reliable encryption for email transport.
For this to work as intended, DANE uses DNSSEC for retrieving information that is published by a domain name’s owner or administrator. As a result this information enables SMTP servers to determine up front whether or not another SMTP server supports an encrypted connection while also providing the means of validating the authenticity of the other mail server’s certificate.
Guidance from the Australian government on the use of STARTTLS (‘Opportunistic TLS’) can be found here.
DANE policies have been introduced in Germany, Norway, the Netherlands, Sweden, the European Union, and the United States, but not yet in Australia.
- RFC 3207: SMTP Service Extension for Secure SMTP over Transport Layer Security
- RFC 7672: SMTP Security via Opportunistic DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS)
- RFC 7671: The DNS-Based Authentication of Named Entities (DANE) Protocol: Updates and Operational Guidance
- Encryption & authenticity of web server
- Encryption & authenticity of email
- Protection against email phishing
- Security of website applications
- Security of domain name (DNSSEC)
- Adoption of Internet Protocol v6