SSL/TLS vs. STARTTLS

User Help for Mozilla Thunderbird
Post Reply
foobar12345
Posts: 11
Joined: July 17th, 2013, 1:14 am

SSL/TLS vs. STARTTLS

Post by foobar12345 »

If you google about this topic you will find many different answers contradicting each other, that's why I hope I can get some clear and correct answers here.

Thunderbird (talking about current version 17, but it's like this since version 3) offers three methods of encrypting transfers:
  • None
  • SSL/TLS
  • STARTTLS
And before TB version 3, there were these option
  • None
  • SSL
  • TLS
  • TLS, if available
With TB version 3 the last two where merged and renamed to "STARTTLS" and the "SSL" was renamed to "SSL/TLS" in the config dialog (while STARTTLS is an official protocol on it's own, different from TLS, while TLS is the successor of SSL). And I often read on the internet, that Thunderbird could fallback to plaintext transfer when using STARTTLS without noticing me! STARTTLS is also the default configuration of Thunderbird.

The question are:
  1. Can Thunderbird really fall back to plaintext transfer whithout telling me and establishing the connection anyways (which would be a security risk)?
  2. What version of SSL, TLS and STARTTLS does Thunderbird support?
  3. Is there some indicator in TB telling which encryption method (protocol and version) is actually used?
  4. Is there a way to force TB to use TLS and if not supported by server to not connect at all? (option "SSL/TLS" seems to can't handle TLS even it's in the name, I tried it, and STARTTLS which could do TLS may have the "silent fall back" security risk)
rsx11m
Moderator
Posts: 14404
Joined: May 3rd, 2007, 7:40 am
Location: US

Re: SSL/TLS vs. STARTTLS

Post by rsx11m »

First of all, both SSL/TLS and STARTTLS mechanisms are based on the same SSL or TLS protocols. The main difference is:
  • With SSL/TLS, the connection starts with the negotiation of the encryption before anything else happens. Only once that has been accomplished, the actual IMAP/POP/SMTP protocol begins.
  • With STARTTLS, the connection is initially not encrypted, but then negotiated at the beginning of the IMAP/POP/SMTP protocol before any "real" communication of passwords and data occurs.
Thus, both variants are equally secure. Simplifying, you can think of SSL/TLS as "plain communication over an encrypted channel" and STARTTLS of "encrypted communication over a plain channel."

As for the labels, there were ambiguous in the pre-3.0 versions. SSL and TLS are essentially the same protocol with a different name, and both can be applied for either connection variant. SSL stopped to be called as such with SSL version 3.0; its successor wasn't called SSL 3.1 but TLS 1.0 instead. Then there are the newer TLS 1.1 (thinking of SSL 3.2) and TLS 1.2 (SSL 3.3) versions. Newer Thunderbird releases therefore switch to "SSL/TLS" for the encrypted-connection variant whereas "STARTTLS" stands for the protocol name where the encryption occurs after the connection has been established.

The advantage of STARTTLS is that it doesn't need a dedicated port to connect to (e.g., IMAP works with port 143 for both unsecured and STARTTLS connections whereas SSL/TLS has to use port 993 instead). This allows to determine "on the fly" whether or not encryption should be used, hence the "TLS if available" option. As you pointed out in your #4 item, this indeed meant that you don't know if encryption is actually applied (this was an option for providers which required, for example, that no encryption is used when connecting within their own network, but was required when connecting from an outside location to the same server). Thus, the option has been deprecated. Meaning, your #4 suggestion is happening whenever STARTTLS is selected (i.e., you should get an error message if the server doesn't support STARTTLS).

As for your other questions:
  1. No per explanation above, unless you've migrated your profile from a pre-3.0 version and had the "TLS if available" option selected there and didn't change it (at least that was still permissible in 3.x, I don't know if it was actually removed entirely with newer versions). It is not possible to select this when setting up a new account with 3.0 or later.
  2. Thunderbird 17.0.x supports SSL 3.0 and TLS 3.1 versions; Thunderbird 24.0 (coming up in September) should also support TLS 1.1 and TLS 1.2, but those may not be enabled by default.
  3. I'm not aware of a Page Info style dialog or indicator telling you which version (and which TLS suites or extensions) are used. There is only the generic "lock" symbol in the account icon in the folder list.
  4. Same as #1, no communication should be performed if STARTTLS is selected but can't be established .
In summary, you should only run into a security risk when selecting no connection security at all and no password encryption either.
foobar12345
Posts: 11
Joined: July 17th, 2013, 1:14 am

Re: SSL/TLS vs. STARTTLS

Post by foobar12345 »

Thank you very much for explaining it. :) Then I think I can use STARTTLS. I configured all my accounts for "SSL/TLS" because I was not sure if "STARTTLS" is more safe or less safe.
rsx11m
Moderator
Posts: 14404
Joined: May 3rd, 2007, 7:40 am
Location: US

Re: SSL/TLS vs. STARTTLS

Post by rsx11m »

You are welcome. Yes, STARTTLS is safe to use.
foobar12345
Posts: 11
Joined: July 17th, 2013, 1:14 am

Re: SSL/TLS vs. STARTTLS

Post by foobar12345 »

Sorry for bumping this. I just found out about this implementation specification for TLS-based protocols:

https://tools.ietf.org/html/rfc2595

Especially section 2.3 is important:

2.3. Clear-Text Password Requirements

Clients and servers which implement STARTTLS MUST be configurable to
refuse all clear-text login commands or mechanisms (including both
standards-track and nonstandard mechanisms) unless an encryption
layer of adequate strength is active. Servers which allow
unencrypted clear-text logins SHOULD be configurable to refuse
clear-text logins both for the entire server, and on a per-user basis.


Thunderbird does not have such checkbox to refuse plain-text password transfer, which means there could be fallbacks to plain text password transfers. So, if Thunderbird does not implement automatic plaintext-refusal (which would be nice, but still not in agreement with the standard which requires a button controllable by the user), it is unsecure.
rsx11m
Moderator
Posts: 14404
Joined: May 3rd, 2007, 7:40 am
Location: US

Re: SSL/TLS vs. STARTTLS

Post by rsx11m »

Well, as far as I know you get a warning at least if you try to configure an account without either an encrypted password or an encrypted connection. Sure, you can force it after that by ignoring such a warning, so technically it's not refusing that kind of setup (though the specs you site "must be configurable to refuse, which could be read as the warning being the initial refusal and thus compliance is maintained), but there are still occasions where it seems to be necessary (e.g., anti-virus software tapping into the connection, thus requiring it to be unencrypted, then [hopefully] taking care of encrypting the communication to the server before it actually goes out).
Post Reply