Engineers from Google, Microsoft, Yahoo, Comcast, LinkedIn and 1&1 Mail & Media Development & Technology have collaborated to improve email security through the development of the SMTP Strict Transport Security. This is a new mechanism that allows email providers to define policies and rules for establishing encrypted email communications.
Defined in a draft that was published last week for consideration as an Internet Engineering Task Force (IETF) standard, the move is geared towards strengthening security for the heavy daily email traffic on the Internet.
According to the text of the draft, “SMTP STS is a mechanism enabling mail service providers to declare their ability to receive TLS-secured connections, to declare particular methods for certificate validation, and to request sending SMTP servers to report upon and/or refuse to deliver messages that cannot be delivered securely.”
The current The Simple Mail Transfer Protocol (SMTP) dates back to 1982 and was not built with any encryption, making it vulnerable to interception via man-in-the-middle attacks. The proposed protocol is similar to the HTTP Strict Transport Security (HSTS), which is meant to prevent HTTPS downgrade attacks by caching a domain’s HTTPS policy locally in the browser.
It does, however, assume that the first connection from a particular client to the server was performed without being intercepted; otherwise, a fraudulent policy might have been cached.
SMTP STS policies are defined through special DNS records added to the email server’s domain name. The protocol provides mechanisms for clients to automatically validate these policies and to report back on any failures.
Servers can also tell clients to cache their SMTP STS policies for a specific amount of time, in order to prevent man-in-the-middle attackers from serving fraudulent policies when they attempt to connect.