Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access

Newman, Chris; Moore, Keith M.

doi:10.17487/rfc8314

Cited by 4 publications

(6 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It is emphasised that RFC 7817 [19] does not apply to MTA-to-MTA communications. That is, as per RFC 8314 [5] [29] is a mechanism that binds certificates to domain names. That is, rather than depending on Certification Authorities (CA), DANE relies on DNSSEC for publishing public keys and certificates for use during TLS handshake.…”

Section: B Email Security Standardsmentioning

confidence: 99%

“…This situation directly affects the communication link between an end-user and the corresponding SMTP server as well as that among SMTP servers, which is the focus of this work. For end-user to email server communications, RFC 8314 [5] deprecates the use of cleartext. In addition, end-users can rely on the OpenPGP [6] and S/MIME [7] standards to achieve the aforementioned security goals in an end-to-end fashion.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

What Email Servers Can Tell to Johnny: An Empirical Study of Provider-to-Provider Email Security

2020

View full text Add to dashboard Cite

With hundred billions of emails sent daily, the adoption of contemporary email security standards and best practices by the respective providers are of utmost importance to everyone of us. Leaving out the user-dependent measures, say, S/MIME and PGP, this work concentrates on the current security standards adopted in practice by providers to safeguard the communications among their SMTP servers. To this end, we developed a non-intrusive tool coined MECSA, which is publicly available as a web application service to anyone who wishes to instantly assess the security status of their email provider regarding both the inbound and outbound communication channels. By capitalising on the data collected by MECSA over a period of 15 months, that is, ≈7,650 assessments, analysing a total of 3,236 unique email providers, we detail on the adoption rate of state-of-the-art email security extensions, including STARTTLS, SPF, DKIM, DMARC, and MTA-STS. Our results indicate a clear increase in encrypted connections and in the use of SPF, but also considerable retardation in the penetration rate of the rest of the standards. This tardiness is further aggravated by the still low prevalence of DNSSEC, which is also appraised for the email security space in the context of this work.

show abstract

Section: B Email Security Standardsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

What Email Servers Can Tell to Johnny: An Empirical Study of Provider-to-Provider Email Security

2020

View full text Add to dashboard Cite

show abstract

“…It is further recommended that the connection between the client and MSA be secured using TLS [RFC5246] [RFC8314], associated with the full range of protective measures described in Section 5.2.…”

Section: Sending Via Smtpmentioning

confidence: 99%

“…Establishing a connection with the server over TCP and authenticating to a mailbox with a username and password sent without encryption is not recommended. IMAP clients should connect to servers using TLS [RFC5246] [RFC8314], which should be associated with the full range of applicable protective measures described in Section 5.2.…”

Section: Receiving Via Imapmentioning

confidence: 99%

“…POP3 defines a simpler mailbox access alternative to IMAP, without the same fine control over mailbox file structure and manipulation mechanisms. Users who access their mailboxes from multiple hosts or devices should use IMAP clients instead of POP3, to maintain a synchronization of clients with the single, central mailbox.Clients with POP3 access should configure them to connect over TLS[RFC8314], which should be associated with the full range of protective measures described above in Section 5.2, Email Transmission Security. IMAP and POP3 clients should connect to servers using TLS [RFC5246] and be associated with the full range of protective measures described in This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-177r1…”

mentioning

confidence: 99%

See 1 more Smart Citation

Trustworthy email

Rose¹,

Nightingale²,

Garfinkel³

et al. 2019

View full text Add to dashboard Cite

Authority �is publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. �is guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in Circular A-130, Appendix III, Security of Federal Automated Information Resources. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. �is publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, however, be appreciated by NIST.

show abstract

Still Computers Networking is Less Secure Than It should be, Causes and Solution

Aref,

Ouda

2023

2023 International Symposium on Networks, Computers and Communications (ISNCC)

View full text Add to dashboard Cite

Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access

Cited by 4 publications

References 16 publications

What Email Servers Can Tell to Johnny: An Empirical Study of Provider-to-Provider Email Security

What Email Servers Can Tell to Johnny: An Empirical Study of Provider-to-Provider Email Security

Trustworthy email

Still Computers Networking is Less Secure Than It should be, Causes and Solution

Contact Info

Product

Resources

About