Tweet
The STARTTLS mechanism allows upgrading insecure protocols to a TLS encrypted connection. This mechanism is incredibly fragile and almost by default leads to vulnerable implementations. In 2011 Wietse Venema discovered a flaw in Postfix that allowed a man in the middle attacker to inject commands into an encrypted connection [1].
We discovered that the flaw is still widely present in E-Mail servers and also, previously unknown, the same flaw exists in many mail clients. In some cases these flaws allow stealing E-Mail credentials. Furthermore the STARTTLS mechanism is weakly specified and in part contradictory, which allows other attacks.
The talk will give an overview on why STARTTLS is dangerous and should be avoided.
Speaker(s): Hanno Böck
Location: Crypto & Privacy Vlg
Discord: https://discord.com/channels/7082082...34002011832320
Event starts: 2020-08-07 10:00 (10:00 AM) PDT (UTC -07:00)
Event ends: 2020-08-07 11:00 (11:00 AM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-07-30T05:21 (UTC).
We discovered that the flaw is still widely present in E-Mail servers and also, previously unknown, the same flaw exists in many mail clients. In some cases these flaws allow stealing E-Mail credentials. Furthermore the STARTTLS mechanism is weakly specified and in part contradictory, which allows other attacks.
The talk will give an overview on why STARTTLS is dangerous and should be avoided.
Speaker(s): Hanno Böck
Location: Crypto & Privacy Vlg
Discord: https://discord.com/channels/7082082...34002011832320
Event starts: 2020-08-07 10:00 (10:00 AM) PDT (UTC -07:00)
Event ends: 2020-08-07 11:00 (11:00 AM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-07-30T05:21 (UTC).