SMTP STS sera-t-elle décisive pour la sécurité des e-mails ?
The transport protocol of the 1980s that was used to send e-mails, Simple Mail Transfer Protocol (SMTP) is old, and does not have the ability to properly secure communications by e-mail. In order to raise its security level, SMTP STARTTLS was invented in 2002. But it was vulnerable to man-in-the-middle attacks and fallback attacks .
A new protocol, SMTP Strict Transport Security (STS) has been developed (14 interminable years after the last attempt, link in English), in order to raise the level of security. This time, all major players (Google, Microsoft, Yahoo, Comcast, LinkedIn and 1 & 1 Mail …) have joined forces to make it a success.
What is the purpose of this new standard?
SMTP STS has been designed to avoid man-in-the-middle attacks.
How SMTP STS improves SMTP security in comparison to StartTLS?
SMTP STS works in parallel with STARTTLS to reinforce SMTP (as a whole) and to avoid fallback attacks and man-in-the-middle attacks. It will verify that the recipient supports SMTP STS and that it has a valid and updated public key certificate, and in this case, it will send the email securely to the recipient. If not, it will prevent the sending of the email and inform the user of the reason.
How long will it take before it is adopted?
At present, this proposal is only in draft form, and it will take some time before the major players begin to implement it. It was submitted to the Internet Engineering Task Force (IETF) in March 2016, and it is expected that Google, Microsoft, Yahoo and Comcast will adopt it this year, without knowing exactly when.
Will it be enough to restore the confidentiality of e-mails?
Is SMTP STS an important step towards email security and is it enough to restore the confidentiality of messages? Our answer is NO .
This is where things start to get a little suspicious – because enhancing SMTP security only protects emails from an SMTP source to the destination SMTP servers – and that’s it.
As a result, the following vulnerabilities are maintained:
– Messages will always appear in clear text from the sender’s device until it reaches the SMTP server of that sender.
– The SMTP server (on both the sender and receiver side) will be able to display the message in plain text.
– The message will remain clear from the recipient’s SMTP server until it reaches the recipient’s device.
These huge gaps are vulnerabilities that attackers can use to challenge the confidentiality and integrity of e-mails.
So, what’s the best way to restore the privacy of emails?
End-to-end encryption (E2EE) is the only answer – in which a sender encrypts an e-mail (with the recipient’s public key) and the recipient decrypts that e-mail with his / her private key, all of which is producing only client side. This approach does not allow an attacker to take a look, even stealthy, messages clear text. Mailfence , a complete secure and private email messaging solution, has a « real » secure e-mail service with the E2EE system , in addition to a digital signature feature.
In other words, SMTP STS is not comparable with the level of security provided by end-to-end encryption. However, it is a new step in the right direction while remaining a small piece of the puzzle!
The Mailfence team