Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Analysis of TLS in SMTP World

2,294 views

Published on

This talk presents a comprehensive analysis of TLS in the SMTP world. We scanned over 20 million unique email recipient domains and analyzed TLS (X.509) certificates to measure overall STARTTLS deployment quality. We discovered a wealth of information that was previously unknown. The analysis will provide a good baseline in terms of STARTTLS and TLS certificates used in SMTP.

Scan tool: https://prbinu.github.io/tls-scan

Published in: Technology

Analysis of TLS in SMTP World

  1. 1. Analysis of TLS in SMTP World Binu Ramakrishnan Yahoo M3AAWG 34th General Meeting | Dublin, June 2015
  2. 2. BIO M3AAWG 34th General Meeting | Dublin, June 2015  Product Security Engineer, Yahoo Mail – Focused on user data protection and application security  Experience in building Internet scale systems  github.com/prbinu  @securitysauce
  3. 3. Overview M3AAWG 34th General Meeting | Dublin, June 2015 1. Introduction STARTTLS 2. Methodology 3. Findings Certificates TLS Sessions 4. Conclusion 5. Q&A
  4. 4. Objective M3AAWG 34th General Meeting | Dublin, June 2015 • Why STARTTLS is important • Protect user privacy • In case of E2E encryption (GPG/S-MIME) STARTTLS protects meta data from eavesdropping • Understand current STARTTLS deployments with MTAs • Measure overall deployment quality • Present the findings
  5. 5. SMTP Refresher M3AAWG 34th General Meeting | Dublin, June 2015 Source:Wikipedia
  6. 6. Let’s STARTTLS M3AAWG 34th General Meeting | Dublin, June 2015 220 mta-x.mail.bf1.yahoo.com ESMTP ready EHLO mta-x.mail.bf1.yahoo.com 250-mta-x.mail.bf1.yahoo.com 250-PIPELINING 250-SIZE 41943040 250-8BITMIME 250 STARTTLS STARTTLS 220 Start TLS ...
  7. 7. STARTTLS Opportunistic Security M3AAWG 34th General Meeting | Dublin, June 2015 “Some protection most of the time*” • rfc7435 • img source http://bit.ly/1Tujhnc
  8. 8. TLS, PKI and X509 V3 Certificates M3AAWG 34th General Meeting | Dublin, June 2015 Trusted by Client RootCA Intermediate CA-1 Intermediate CA-2 Leaf Certificate-1 Leaf Certificate-2 Leaf Certificate-n
  9. 9. Methodology M3AAWG 34th General Meeting | Dublin, June 2015 • Input size: 20M unique domains • Resolved domain to MX using a fast DNS lookup program • Identify unique MX 6M domains • Scanned MXs to collect TLS data • Completed in 4 hours (28 threads) • Non-blocking event driven program written in C++ • Generated ~10GB of data • Analysis using std Unix text processing tools
  10. 10. M3AAWG 34th General Meeting | Dublin, June 2015
  11. 11. Findings M3AAWG 34th General Meeting | Dublin, June 2015 • Domain-MX-IP Distribution • Certificates • TLS Sessions
  12. 12. M3AAWG 34th General Meeting | Dublin, June 2015
  13. 13. M3AAWG 34th General Meeting | Dublin, June 2015
  14. 14. M3AAWG 34th General Meeting | Dublin, June 2015 80% of MXs we scanned support STARTTLS
  15. 15. Certificates M3AAWG 34th General Meeting | Dublin, June 2015
  16. 16. M3AAWG 34th General Meeting | Dublin, June 2015 Outliers • Half a dozen self- signed ECDSA keys • 512-bit RSA keys • 1024-bit DSA keys • 10240-bit RSA keys ` • Observed few CAs issuing 1024 bit RSA certs in last 2 years • Few are issued with validity period of 10 years Almost same distribution between unique MX and Certs
  17. 17. Signature Algorithm M3AAWG 34th General Meeting | Dublin, June 2015 We are mostly compliant  but … Long live MD2; but this may be not as bad as you think.
  18. 18. M3AAWG 34th General Meeting | Dublin, June 2015 Certificate Trust
  19. 19. M3AAWG 34th General Meeting | Dublin, June 2015
  20. 20. Certificate Expiry M3AAWG 34th General Meeting | Dublin, June 2015 Image source: https://www.flickr.com/photos/eatmorechips/4409100553 Significant number of expired certs is worrisome Some certs that are currently in use expired a decade ago. Is it important?
  21. 21. M3AAWG 34th General Meeting | Dublin, June 2015 • What about the CA bundles we trust? • Are we updating our CA bundle? • Apple, Microsoft, Mozilla and Fedora/RHEL root certificates Trusting the Trust Image source: https://www.flickr.com/photos/dobs/10726756606/
  22. 22. M3AAWG 34th General Meeting | Dublin, June 2015
  23. 23. Other Observations M3AAWG 34th General Meeting | Dublin, June 2015 • Few IPs returned more than 100 unique certs. • 9% of total unique certs comprises of X509 Version-1 (4% for unique MX domains); Few valid X509 V1 root CA certs • Domain MXs directly pointing to rfc1918 private address space • 10K MXs resolved directly to IP, not to a hostname • Valid certs - SAN with more than 200 domain names Image source:https://www.flickr.com/photos/dkshots/6880699090/
  24. 24. M3AAWG 34th General Meeting | Dublin, June 2015 Note: Subject Common Name is deprecated in favor of SAN. So it is important to validate server hostname against SAN Also found large number (676857) of certs with empty SAN field
  25. 25. M3AAWG 34th General Meeting | Dublin, June 2015
  26. 26. TLS Session/Ciphers M3AAWG 34th General Meeting | Dublin, June 2015
  27. 27. SSL Protocol Version Distribution M3AAWG 34th General Meeting | Dublin, June 2015 We also observed an SSLv2 endpoint
  28. 28. M3AAWG 34th General Meeting | Dublin, June 2015
  29. 29. Cipher Distribution M3AAWG 34th General Meeting | Dublin, June 2015 PFS 80%
  30. 30. Logjam M3AAWG 34th General Meeting | Dublin, June 2015 Weak DH 512 and 1024 bit temp key usage Image source: https://www.flickr.com/photos/foresthistory/3663198360/
  31. 31. M3AAWG 34th General Meeting | Dublin, June 2015 Compare with HTTPS The luxury that we don’t have! • CA-Browser (CAB) Forum • Strict certificate validation • Root certificate management & bundling • HTTPS establishes TLS session before making a HTTP request • HPKP, HSTS
  32. 32. Conclusion M3AAWG 34th General Meeting | Dublin, June 2015 • Positive Trends • Opportunistic encryption is proved to be effective against passive attacks. • Modern TLS protocols & ciphers - TLSv1.2 and PFS are widely in use • RSA public keys < 2048 bits still exists in large number, but the overall percentage is low – a positive trend when compared with previous years • Challenges • ~20% of MTAs are with no STARTTLS support • Concerns with the trusting/handling root CA bundles • Mitigating active attacks would be a challenge because of: • Large number of self-signed/expired certificates • Use of vulnerable ciphers & SSL versions • Backward interoperability with plain text SMTP option
  33. 33. Questions? M3AAWG 34th General Meeting | Dublin, June 2015 Thank you!

×