AusCERT2023 - TLS OR GTFO (Analysis of SMTP TLS Implementations) - Jamie Gillespie

Whether we like it or not, email is being used by individuals and businesses to send some pretty sensitive information.

Web browsers have padlocks and “Not secure” warnings, they removed support for older TLS versions 1.0 and 1.1, and give the user obvious visual cues to whether their connection is encrypted or not. But the average email client doesn’t give any indication whether your email will be encrypted properly while in transit (or if encrypted at all!).

While a future with DANE will save us from SMTP downgrade attacks, we first must fix the past (basic TLS config) before we can go Back to the Future with DANE.

In this session, Jamie will present his findings from analysing the SMTP TLS, DANE, and DNSSEC implementations from Australia’s major ISPs, ASX 100 companies, universities, and international email providers.

Attendees will come away with an understanding of state of play in SMTP server encryption, actions needed to check/improve their own SMTP server configuration, and yet another thing to hassle their critical vendors about.