Questions tagged [starttls]
The starttls tag has no usage guidance.
24
questions
0
votes
2
answers
164
views
What does the IMAP banner alone show regarding security (STARTTLS, hashing, information disclosure)?
I encountered an open TCP/143 IMAP port which responded with this banner:
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=...
- 6,715
3
votes
1
answer
932
views
What are the risks of an MTA-STS policy with a long max_age?
In setting up SMTP MTA Strict Transport Security (RFC 8461) for my domain, I've noticed some contradictory advice and practice: although the maximum value for the max_age policy value is around one ...
- 33
1
vote
1
answer
3k
views
Is LDAPS or StartTLS more secure?
This question has been asked and answered here, here, and also basically here. I'm asking again because the answers and information is conflicting.
LDAPS:
According to Wikipedia (and its RFC sources) ...
- 121
3
votes
3
answers
6k
views
How to check if a mail server is using Enforced-STARTTLS rather than Opportunistic-STARTTLS?
This article tells us that there are two types of STARTTLS: Opportunistic (i.e. optional STARTTLS) STARTTLS and Enforced STARTTLS, which works by the doctrine of "Encrypted connection or drop ...
- 31
0
votes
1
answer
1k
views
LDAP StartTLS encryption - which TLS versions are supported?
I am looking to set a third party application to authenticate with our domain. The application supports LDAPv3 and we have opted to use the start StartTLS extension to encrypt the credentials from the ...
- 1
1
vote
0
answers
140
views
Can EAP-TTLS provide the dual authentication I require?
What I want to do: Lock down the Tech Vlan so that only an approved device AND a user in the tech security group are allocated. I am hoping to achieve this via EAP-TTLS and Windows NPS whereby the ...
- 111
3
votes
1
answer
1k
views
Is traffic subsequent to a SASL/GSSAPI bind encrypted?
When making a SASL/GSSAPI bind to an LDAP server over port 389 (ldap:///), after the authentication is finished is the resulting LDAP traffic encrypted? If so, is there a document or RFC that ...
- 373
34
votes
2
answers
7k
views
Why is STARTTLS used when it can be downgraded very easily?
People are making a big fuss about how you absolutely have to disable SSLv3 because TLS can be downgraded to SSLv3 and there is barely a server left on the internet that speaks SSLv3.
At the same ...
- 517
1
vote
1
answer
921
views
SMTP Service STARTTLS Plaintext Command Injection
We are getting this vulnerability on SUSE Linux Enterprise Server 11. This vulnerability is getting triggered on port 587 for postfix. I have checked several links but I am unable to get any relevant ...
- 11
3
votes
1
answer
460
views
How to Force STARTTLS on Outlook and other clients
I am currently writing an essay about securing e-mail. Now I'm at the point where I want to know if it's possible to force TLS in connections via SMTP or POP3/IMAP from the clients' side. I know I can ...
- 674
8
votes
2
answers
2k
views
Why are common services using implicit SSL not considered obsolete in the way that SMTPS is?
SMTPS (implicit SSL) has been deprecated/obsolete since SMTP+STARTTLS (explicit SSL) was defined in RFC2487. I'm not entirely clear on the reasoning behind that, but it was clearly considered a good ...
- 727
1
vote
1
answer
377
views
How SSL works in SMTP?
Whenever I see a red lock icon in gmail, I thought the sender doesn't have SSL configured.
But one person told me only server (gmail in our case) SSL is enough?
Does that mean the sender don't ...
- 155
4
votes
2
answers
3k
views
What happens if STARTTLS dropped in SMTP?
SMTP uses STARTTLS extension to upgrade SMTP to SMTP Secure (STMPS). According the the RFC, the client and server starts TLS as follows:
S: <waits for connection on TCP port 25>
C: <opens ...
- 167
0
votes
1
answer
231
views
Trusting a fraudulent/not trusted CAs for STARTTLS/SMTP
When using STARTTLS for SMTP, should one trust CAs that are not trusted by major browser like for example WoSign or StartCom?
As STARTTLS falls back to plaintext it seems an encrypted transmission ...
- 1,006
2
votes
3
answers
2k
views
What is the purpose of opportunistic TLS (like STARTTLS)?
Opportunistic TLS refers to extensions in plain text communication protocols, which offer a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection instead of using a separate ...
- 6,715