ietf
[Top] [All Lists]

E-Mail Protocol Security Measurements

2015-07-29 09:59:41
Hi,

UTA chairs recommended sending a mail about this to the UTA and IETF
lists. We're currently analyzing our datasets -- so more/detailed data
will become available shortly.

Over the past couple of months we've been collecting SMTP, IMAP and POP
(implicit TLS, STARTTLS) security measurements (primarily relating to
TLS, X.509 Certs and offered protocol extensions). I've given a short
talk at IETF93 in SAAG on the topic, the slides can be found over here:
https://www.ietf.org/proceedings/93/slides/slides-93-saag-2.pdf

 * RC4 support is at about 83-85%
 * unsurprisingly TLS 1.0 is most widely supported
 * ~60% of certificates are self-signed
 * a huge number of servers offer AUTH PLAIN (some without STARTTLS)
 * 512bit DH(E) primes are very common
 * ECDH: most use 256bit group size
 * RC2-CBC-MD5 is supported by 40% of SMTP servers we've studied,
 * IDEA-CBC-MD5 by 14%

We've also found 5-6% support of export ciphers in these protocols.

If you have any questions regarding any of our scans or need data points
for your drafts, recommendations or any current work - we'd be happy to
help you out there as best as we can.

Note that we have an outstanding TLS enumeration scan on port 587. We've
collected banner messages and certificates from 465 and 587 already though.

We don't yet have a publication ready and our data sets are currently
not public, but will be in the foreseeable future. However we're happy
to provide details if any of you have questions.

Thanks,
Aaron

Attachment: signature.asc
Description: OpenPGP digital signature