pop 110/995, imap 143/993 ?

Gary lists at lazygranch.com
Tue Aug 22 01:42:48 EEST 2017


If I read this correctly, starttls will fail due to the MITM attack. That is the client knows security has been compromised. Using SSL/TLS, the MITM can use SSL stripping. Since most Postifx conf use "may" for security, the message would go though unencrypted. Correct???

Is there something to enable for perfect forward security with starttls?



  Original Message  
From: s.arcus at open-t.co.uk
Sent: August 21, 2017 3:07 PM
To: dovecot at dovecot.org
Reply-to: dovecot at dovecot.org
Subject: Re: pop 110/995, imap 143/993 ?

On 21/08/17 22:18, Joseph Tam wrote:
> 
> Lest anyone think STARTTLS MITM doesn't happen,
> 
>      https://threatpost.com/eff-calls-out-isps-modifying-starttls-encryption-commands/109325/3/
> 
> Not only for security, I prefer port 993/995 as it's just plain simpler
> to initiate SSL from the get-go rather than to do some handshaking that
> gets you to the same point.

Frankly, after reading the above link and some more info on the internet 
on the subject, I am now wondering why do we bother at all with STARTTLS 
for imap, pop3 and even smtp (and by the way, port 465 for SMTP + 
SSL/TLS *is* indeed deprecated officially)? It would appear that 
STARTTLS is significantly more vulnerable to MITM attacks than plain 
SSL/TLS for all the above protocols. Is the slight extra convenience of 
opportunistic encryption really worth the substantial loss in security?


More information about the dovecot mailing list