On Fri, Oct 30, 2015 at 12:00:30PM +0100, Aaron Zauner wrote: > Starting up this thread again; our paper has been published today > open-access and our data-sets are currently in the process of being > published on scans.io. > > The paper is available at http://arxiv.org/abs/1510.08646 > > In terms of scanning methodology there's nothing entirely new here > but we've collected TLS enumeration scans for all publicly available > e-mail servers (POP, IMAP, SMTP) on the Internet. Thanks for the paper, it contains a substantial quantity of useful information. I am however rather disappointed by how some of the results are interpreted, at least by non-experts: http://arstechnica.com/security/2015/10/dont-count-on-starttls-to-automatically-encrypt-your-sensitive-e-mails/ Offsetting that progress was a finding that about 770,000 SMTP servers associated with the Alexa top million list still failed to properly secure their systems. Only 82 percent of them supported TLS, and of those, only 35 percent were properly configured to allow one server to cryptographically authenticate itself to another. What's missing here is that having trusted SSL certificates offers zero protection for MTA-to-MTA SMTP. Any time/money spend on such certificates is essentially wasted. Barring DANE or similar out-of-band policy, certificates *cannot* protect MTA-to-MTA SMTP from MITM attacks. I cringe every time someone bemoans the lack of "valid" certificates in SMTP, such certificates are largely a worthless fashion statement. (Some domains have bilateral arrangements with business partners to verify email traffic certificates, but these arrangements are exceedingly rare). STARTTLS is designed to thwart exactly one attack: *passive* wiretap. It works as designed for just that attack. It is not surprising that active attacks can and do defeat STARTTLS, Hence, DANE for SMTP and related efforts. No mass-scale use of end-to-end encryption is looming to save the day, so transport security is finally getting the attention it deserves. My DANE survey is at 9000 domains and counting, with adoption picking up the pace a bit lately. Some domain hosting providers have implemented tens of thousands of additional DANE domains that do not show up in my surveys. It is still very early in the process, but I am cautiously optimistic. -- Viktor.