Bugzilla – Bug 1189208
VUL-0: NOSTARTTLS: A security analysis of STARTTLS in the EMail context
Last modified: 2021-09-03 14:56:12 UTC
Connections between email clients and servers provide two ways to be protected with TLS: While implicit TLS encrypts the whole connection and runs on a separate port, STARTTLS provides a mechanism to upgrade existing unencrypted connections.
Sometimes STARTTLS is seen as an opportunistic encryption mode that provides TLS protection only when available. This is trivially vulnerable to downgrade attacks. However, modern email clients usually have the expectation that STARTTLS is enforced, and when enabled, no unencrypted communication is possible.
Upgrading of connections via STARTTLS is fragile and vulnerable to a number of security vulnerabilities and attacks. We found more than 40 vulnerabilities in STARTTLS implementations. We conclude that these vulnerabilities are so common that we recommend to avoid using STARTTLS when possible.
i linked all CVEs referenced in the paper to this bug, perhaps incomplete