Return to schedule

Avoid STARTTLS Feedback

Many protocols, including the email protocols SMTP, POP3 and IMAP, allow two ways to use TLS: An implicit mode on a dedicated port and a mechanism called STARTTLS that upgrades plain text connections to TLS.

The STARTTLS mechanism is incredibly fragile and almost by default leads to vulnerable implementations. In 2011 Wietse Venema discovered a flaw in Postfix that allowed a man in the middle attacker to inject commands into an encrypted connection [1].

We discovered that the flaw is still widely present in E-Mail servers and also, previously unknown, the same flaw exists in many mail clients. In some cases these flaws allow stealing E-Mail credentials. Furthermore the STARTTLS mechanism is weakly specified and in part contradictory, which allows other attacks.

The talk will give an overview on why STARTTLS is dangerous and should be avoided.


Speakers for Avoid STARTTLS:


Metadata for Avoid STARTTLS

To be recorded: Yes

URLs for Avoid STARTTLS

Recording: https://www.youtube.com/watch?v=kgR1nQYWBM8


Schedule for Avoid STARTTLS

  • Saturday, Aug 15th, 2020, 16:00 (CEST) - Saturday, Aug 15th, 2020, 17:00 (CEST) at Speakers Tent