SMTP Strict Transport Security Standard Drafted for Email Security

Google, Microsoft, Yahoo and others published the draft of a standard that could yield significant benefits for email security.

email security

Love it or hate it, email remains a must-have tool in the modern Internet, though email isn't always as secure as it should be. When users connect to email servers, those connections have the potential to be intercepted by attackers, so there is a need for standards, like the new SMTP Strict Transport Security (STS) standard, published March 18 as an Internet Engineering Task Force (IEFT) draft.

The Simple Mail Transfer Protocol, or SMTP, is widely used as one of the primary protocols to access mail servers. By default, SMTP does not require that end-users connect to mail servers with a secured connection that makes use of Transport Layer Security (TLS) encryption.

TLS is the successor to Secure Sockets Layer (SSL) encryption and is the default technology in use today to secure data in motion on the Web. When not connecting over an SSL/TLS connection, data is sent in the clear and can potentially be intercepted and read by anyone.

The SMTP STS standard spells out an approach that enables mail servers to handle and report on the secured status of a connection.

"SMTP STS is a mechanism enabling mail service providers to declare their ability to receive TLS-secured connections," the IETF draft abstract states.

The SMTP STS standard also provides direction on how SSL/TLS certificates can be validated, as well as the ability to report on and/or refuse to deliver messages that cannot be delivered securely. The SMTP STS draft was co-authored by developers from Google, Yahoo, Comcast, Microsoft, LinkedIn and 1&1.

The draft standard is not the first attempt at creating a more secure approach for mail servers. Among the multiple earlier standards is DANE (DNS-based Authentication of Named Entities), which also helps ensure mail server security.

"The primary difference between the mechanism described here and DANE is that DANE requires the use of DNSSEC [Domain Name System Security] to authenticate DANE records, whereas SMTP STS relies on the certificate authority system," the IETF draft states.

The idea of enforcing Strict Transport Security (STS) is also in place for HTTP Web-based traffic, with the HSTS (HTTP Strict Transport Security) IETF standard. With HSTS, a Website can specify that it can only be accessed over an SSL/TLS secured HTTPS connection.

Security experts eWEEK interviewed see the SMTP-STS as an improvement over the StartTLS effort that was an earlier attempt to have email connections use TLS when possible.

"This draft standard is an attempt to improve where STARTTLS failed," said Marcus Carey, CTO and founder of VThreat. "Since STARTTLS was essentially an optional and easy-to-downgrade encrypted connection, it was trivial to be eavesdropped on."

Carey said his initial impression of SMTP STS is that it's definitely a move in the right direction when it comes to providing privacy worldwide. Just by looking at the list of companies involved in the IETF SMTP STS draft, it's easy to surmise that email security is a real problem because many email conversations can be easily intercepted by repressive regimes, he said.

"There are two well-known cases involving ISPs where they circumvented STARTTLS for various reasons," Carey said. "If ISPs can breach the confidentiality of emails, you can count on nation-states exploiting the same weaknesses."

JP Bourget, CEO of Syncurity, agreed that SMTP STS is a step in the right direction to guarantee email privacy. "It also appears that by enforcing TLS identity checking, the ability to spoof a server would much more difficult."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.