[Ach] Fwd: E-Mail Protocol Security Measurements

Aaron Zauner azet at azet.org
Mon Jul 27 21:44:32 CEST 2015

-------- Original Message --------
Subject: E-Mail Protocol Security Measurements
Date: Mon, 27 Jul 2015 15:17:52 +0200
From: Aaron Zauner <azet at azet.org>
To: uta at ietf.org <uta at ietf.org>, ietf at ietf.org
CC: Wilfried Mayer <WMayer at sba-research.org>,  Martin Mulazzani
<mmulazzani at sba-research.org>


UTA chairs recommended sending a mail about this to the UTA and IETF
lists. We're currently analyzing our datasets -- so more/detailed data
will become available shortly.

Over the past couple of months we've been collecting SMTP, IMAP and POP
(implicit TLS, STARTTLS) security measurements (primarily relating to
TLS, X.509 Certs and offered protocol extensions). I've given a short
talk at IETF93 in SAAG on the topic, the slides can be found over here:

 * RC4 support is at about 83-85%
 * unsurprisingly TLS 1.0 is most widely supported
 * ~60% of certificates are self-signed
 * a huge number of servers offer AUTH PLAIN (some without STARTTLS)
 * 512bit DH(E) primes are very common
 * ECDH: most use 256bit group size
 * RC2-CBC-MD5 is supported by 40% of SMTP servers we've studied,
 * IDEA-CBC-MD5 by 14%

We've also found 5-6% support of export ciphers in these protocols.

If you have any questions regarding any of our scans or need data points
for your drafts, recommendations or any current work - we'd be happy to
help you out there as best as we can.

Note that we have an outstanding TLS enumeration scan on port 587. We've
collected banner messages and certificates from 465 and 587 already though.

We don't yet have a publication ready and our data sets are currently
not public, but will be in the foreseeable future. However we're happy
to provide details if any of you have questions.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150727/beac9f04/attachment.sig>

More information about the Ach mailing list