SMTP or Simple Mail Transfer Protocol was first developed in 1982 and at that time it had very few security features. Though at that time there was not much concerns, later it became a major security concern. And, SMTP STS or SMTP Strict Transport Security is a policy which is developed for addressing security concerns of SMTP like TLS Downgrade Attacks and DNS Hijacking while transporting emails between mail servers.
Security Concerns of SMTP
As said above, SMTP has very few security features, resulting in some major security concerns. TLS Downgrade Attacks and DNS Hijacking are two major security concerns that makes email transport quite vulnerable.
Let's discuss in brief how these two attacks make email transport so vulnerable.
TLS Downgrade Attack
When a source Mail Server wants to send an email to a destination Mail Server, the communication is not by default encrypted. A STARTTLS command is sent first and then, when both the Mail Servers agrees on STARTTLS command, they go ahead and establish a TLS connection between them to transfer the email. Otherwise, the email is sent in cleartext format.
In TLS Downgrade Attack, the attacker first perpetrates a Man-In-The-Middle Attack and changes the STARTTLS command transferred between the Mail Servers. As a result, both the Mail Servers are tricked to believe that the other one does not support TLS. And the email is transferred in cleartext format, following which the atacker is now free to steal sensitive data transferred over the email communication.
You would find more information on how TLS Downgrade Attacks are perpetrated while transporting emails here : TLS Downgrade Attacks while transporting Emails
The source Mail Server needs to know the IP address corresponding to the destination Mail Server before transferring the email. For that purpose, the source Mail Server makes a query to the DNS Servers and fetches MX record containing the said IP address.
But, attackers can perpetrate a DNS Hijacking Attack at that time and trick the source Mail Server to obtain a fraudulent MX record containing the IP address of the attacker controlled Mail Server. As a result, the source Mail Server ends up sending the sensitive email to the attacker's Mail Server, following which the attacker can steal sensitive data and transfer the email back to the actual destination Mail Server to make the attack transparent.
You would find more information on how DNS Hijacking Attacks are perpetrated while transporting emails : DNS Hijacking Attacks while transporting Emails
DANE or DNS-based Authentication of Named Entities is a protocol which is developed recently which can address the above security concerns of SMTP, though it has some other concerns.
In this protocol, the source Mail Server makes a DNS query to obtain TLSA records from the DNS Servers before sending the email. TLSA records are a new DNS resource records that contains information on the digital certificate or the Certificate Authority which are used in the subsequent TLS connection between the source and destination Mail Servers.
So, the source Mail Server first obtains the TLSA records from the DNS Servers and then validates the records using DNSSEC. In DNSSEC, responses from DNS Servers are validated with digital signatures and cryptographic keys. As it will not be possible for attackers to duplicate cryptographic keys and affect DNSSEC responses, DANE can address the above security concerns of SMTP up to a great extent.
You would find more information on how DNSSEC works here : DNSSEC
Though DANE can address the major security concerns of SMTP up to a great extent, it may not prove to be much convenient.
DANE requires DNSSEC for the secure delivery. But, implementation of DNSSEC is quite compex and its adoption is quite slow. And, to address those concerns a new protocol called SMTP STS is very recently developed.
SMTP STS or SMTP Strict Transport Security is a policy that ensures secure SMTP sessions over TLS. It presents a variant for systems which do not yet support DNSSEC. It also specifies a method for reporting TLS negotiation failures while establishing a TLS connection between the Mail Servers.
The main difference between DANE and SMTP STS is, DANE requires DNSSEC to authenticate DANE TLSA records. But, SMTP STS relies on the Certificate Authority system to avoid interceptions.
How does SMTP STS work
When an email is sent from source Mail Server to destination Mail Server, it typically follows the following steps :
- The source Mail Server makes DNS query and obtains the TXT record and MX record of the destination Mail Server. The TXT record contains information on the SMTP STS policy of the destination Mail Server. And, the MX record presents its TLS certificate.
- The next step for the source Mail Server honoring SMTP STS policy is to fetch and validate the policy.
- If the TXT record specifies DNSSEC, the source Mail Server should retrieve the policy via DNSSEC.
- If the TXT record specifies Web PKI, the source Mail Server should establish an HTTPS connection to a specified host at the domain matching that of the destination Mail Server. The HTTP response body thus obtained must match the policy initially loaded by via the DNS TXT method.
- The next step is policy validation. For Web PKI, the certificate presented by the MX reecord must be valid for the MX name and chain to a root CA that is trusted by the source Mail Server.
- Otherwise, DANE TLSA is used to validate the certificate.
- Aggregate statistics on the policy failure may be reported to a specified URI for diagnosis.
Security of SMTP STS
As discussed above, SMTP STS relies on proper validation of the policy and the certificate. As the chances of compromising a Certificate Authority is considerably less, it becomes quite difficult for the attackers to intercept the connections and make attacks.
This was an informative article on SMTP STS and how it helps to address some major security concerns that SMTP has. Hope it helped.