(eMail-) Encryption with StartTLS as a security risk

Sicherheit (Pexels, allgemeine Nutzung)[German]The encryption method StartTLS, which can be used in network communication, especially for e-mails, has a number of vulnerabilities that make it possible to break open communication by stealing access data, for example. This was already proven by German security researchers at the beginning of August 2021.


I had already seen the information at the beginning of August 2021 because one of the German security researchers involved, Hanno Böck addressed this in this article at German site Golem. It was then on my agenda for a blog post. Then I have seen the topic again in the following tweet and decided to cover it here.

What is StartTLS?

Wikipedia provides a description of StartTLS, itsa method for initiating the encryption of a network communication using Transport Layer Security (TLS). It is mainly used for communication between e-mail servers and clients to exchange messages via POP3, SMTP or IMAP.

STARTTLS dates back to 1999 and was adequate at the time, as it was intended to force encrypted transmissions. As of 2018, only fully encrypted transfers are recommended. With STARTTLS, it is explicitly negotiated whether TLS should be used for encryption.

The problem: If no additional protections against a downgrade attack are implemented, this is opportunistic encryption (encryption is used only if TLS is available on both sides). With STARTTLS, the first connection setup is always in plain text. Since the method no longer offers any advantages over TLS, the "SSL/TLS" setting is generally recommended in e-mail clients and STARTTLS is therefore not recommended.


Vulnerabilities in StartTLS

A team of German security researchers, including Hanno Böck, have taken a closer look at the encryption method and published their findings on the NO STARTTLS website. The key message: StartTLS is trivially vulnerable to downgrade attacks due to the unencrypted contact and negotiation of TLS encryption.

However, modern email clients typically expect STARTTLS to be enforced, and when it is enabled, unencrypted communication is not possible. The use of STARTTLS in connections is vulnerable to a number of vulnerabilities and attacks. The team of security researchers found more than 40 vulnerabilities in STARTTLS implementations.

The security researchers concluded that these vulnerabilities are so common that they recommend not using StartTLS if possible. I will spare the details here, because the different attack methods can be read on the NO STARTTLS website. For readers, the message is: Check the settings on your email clients (and possibly for other communication connections) and use TLS instead of StartTLS, if possible.

Thunderbird and Outlook/Hotmail issues

Yesterday I wrote the German edition of this article. Then checked some mail accounts in Thunderbird, and found entries with STARTTLS. Some accounts could be changed to SSL/TLS – for some accounts I needed to set port 465 manually for SMTP. But you should prefer port 587 for SMTP.

And there is another pitfall: If you have Freemail accounts from Microsoft like hotmail.com, outlook.com, you are trapped at STARTTLS. I was able to use SSL/TLS for IMAP (reveiving emails), but I failed to use successful SSL/TLS for the SMTP settings (smtp-mail.outlook.com). With SMTP set to SSL/TLS, Thunderbird wasn't able to send mails successfully.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *