STARTTLS
Encyclopedia
STARTTLS is an extension to plain text communication protocols, which offers a way to upgrade a plain text connection to an encrypted (TLS
or SSL) connection instead of using a separate port for encrypted communication.
STARTTLS for IMAP and POP3 is defined in RFC 2595, for SMTP in RFC 3207, for XMPP in RFC 3920, for LDAP in RFC 2830, and in RFC 4642 for NNTP.
The style used to specify how to use TLS matches the same layer distinction that is also conveniently supported by several library implementations of TLS. E.g., the RFC 3207 SMTP extension illustrates with the following dialog how a client and server can start a secure session:
S: <waits for connection on TCP port 25>
C: <opens connection>
S: 220 mail.example.org ESMTP service ready
C: EHLO client.example.org
S: 250-mail.example.org offers a warm hug of welcome
S: 250 STARTTLS
C: STARTTLS
S: 220 Go ahead
C: <starts TLS negotiation>
C & S: <negotiate a TLS session>
C & S: <check result of negotiation>
C: EHLO client.example.org
. . .
The last EHLO command above is issued over a secure channel. Note that authentication is optional in SMTP, and the omitted server reply may now safely advertise an AUTH PLAIN SMTP extension, which is not present in the plain-text reply.
As of October 2011, Gmail and Apple's iCloud
are the only two major free email providers to implement STARTTLS on outgoing mail.
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
or SSL) connection instead of using a separate port for encrypted communication.
STARTTLS for IMAP and POP3 is defined in RFC 2595, for SMTP in RFC 3207, for XMPP in RFC 3920, for LDAP in RFC 2830, and in RFC 4642 for NNTP.
Layering
TLS is application-neutral; in the words of RFC 5246- One advantage of TLS is that it is application protocol independent. Higher-level protocols can layer on top of the TLS protocol transparently. The TLS standard, however, does not specify how protocols add security with TLS; the decisions on how to initiate TLS handshaking and how to interpret the authentication certificates exchanged are left to the judgment of the designers and implementors of protocols that run on top of TLS.
The style used to specify how to use TLS matches the same layer distinction that is also conveniently supported by several library implementations of TLS. E.g., the RFC 3207 SMTP extension illustrates with the following dialog how a client and server can start a secure session:
S: <waits for connection on TCP port 25>
C: <opens connection>
S: 220 mail.example.org ESMTP service ready
C: EHLO client.example.org
S: 250-mail.example.org offers a warm hug of welcome
S: 250 STARTTLS
C: STARTTLS
S: 220 Go ahead
C: <starts TLS negotiation>
C & S: <negotiate a TLS session>
C & S: <check result of negotiation>
C: EHLO client.example.org
. . .
The last EHLO command above is issued over a secure channel. Note that authentication is optional in SMTP, and the omitted server reply may now safely advertise an AUTH PLAIN SMTP extension, which is not present in the plain-text reply.
As of October 2011, Gmail and Apple's iCloud
ICloud
iCloud is a cloud storage and cloud computing service from Apple Inc. announced on June 6, 2011 at the Apple Worldwide Developers Conference . The service allows users to store data such as music files on remote computer servers for download to multiple devices such as iPhones, iPods, iPads, and...
are the only two major free email providers to implement STARTTLS on outgoing mail.
External links
- SMTP TLS Tests and Tools (the "Receiver Test" shows dialogs like the one above)