SSL vs TLS vs STARTTLS

There's often quite a bit of confusion around the different terms SSLTLS and STARTTLS.

SSL and TLS both provide a way to encrypt a communication channel between two computers (e.g. your computer and our server). TLS is the successor to SSL and the terms SSL and TLS are used interchangeably unless you're referring to a specific version of the protocol.

STARTTLS is a way to take an existing insecure connection and upgrade it to a secure connection using SSL/TLS. Note that despite having TLS in the name, STARTTLS doesn't mean you have to use TLS, you can use SSL.

SSL/TLS version numbers

Version numbering is inconsistent between SSL and TLS versions. When TLS took over from SSL as the preferred protocol name, it began a new version number, and also began using sub-versions. So the ordering of protocols in terms of oldest to newest is: SSL v2, SSL v3, TLS v1.0, TLS v1.1, TLS v1.2.

When you connect to an SSL/TLS encrypted port, or use STARTTLS to upgrade an existing connection, both sides will negotiate which protocol and which version to use based on what has been configured in the software and what each side supports.

Support for SSL/TLS is virtually universal these days, however which versions are supported is variable. Pretty much everything supports SSL v3 (except a few very old Palm Treo devicesas we discovered). Most things support TLS v1.0. As at May 2012, support for TLS v1.1 and TLS v1.2 is more limited.

TLS vs STARTTLS naming problem

One significant complicating factor is that some email software incorrectly uses the term TLS when they should have used STARTTLS. Older versions of Thunderbird in particular used "TLS" to mean "enforce use of STARTTLS to upgrade the connection, and fail if STARTTLS is not supported" and "TLS, if available" to mean "use STARTTLS to upgrade the connection if the server advertises support for it, otherwise just use an insecure connection".

SSL/TLS vs plaintext/STARTTLS port numbers

The above is particularly problematic when combined with having to configure a port number for each protocol.

To add security to some existing protocols (e.g. IMAP, POP, etc.), it was decided to just add SSL/TLS encryption as a layer underneath the existing protocol. However, to distinguish that software should talk the SSL/TLS encrypted version of the protocol rather than the plaintext one, a different port number was used for each protocol. So you have:

  • IMAP uses port 143, but SSL/TLS encrypted IMAP uses port 993.
  • POP uses port 110, but SSL/TLS encrypted POP uses port 995.
  • SMTP uses port 25, but SSL/TLS encrypted SMTP uses port 465.

At some point, it was decided that having 2 ports for every protocol was wasteful, and instead you should have 1 port that starts off as plaintext, but the client can upgrade the connection to an SSL/TLS encrypted one. This is what STARTTLS was created to do.

There were a few problems with this though. There was already existing software that used the alternate port numbers with pure SSL/TLS connections. Client software can be very long lived, so you can't just disable the encrypted ports until all software has been upgraded.

Mechanisms were added to each protocol to tell clients that the plaintext protocol supported upgrading to SSL/TLS (i.e. STARTTLS), and that they should not attempt to log in without doing the STARTTLS upgrade. This created two unfortunate situations:

  1. Some software just ignored the "login disabled until upgraded"announcement and just tried to log in anyway, sending the username and password over plaintext. Even if the server then rejected the login, the details had already been sent over the Internet in plaintext.
  2. Other software saw the "login disabled until upgraded" announcement, but then wouldn't upgrade the connection automatically, and thus reported login errors back to the user, which caused confusion about what was wrong.

Both of these problems resulted in significant compatibility issues with existing clients, and so most system administrators continued to just use plaintext connections on one port number, and encrypted connections on a separate port number.

This has now basically become the de facto standard that everyone uses. IMAP SSL/TLS encrypted over port 993 or POP SSL/TLS encrypted over port 995. Many sites (including FastMail) now disable plain IMAP (port 143) and plain POP (port 110) altogether so people must use an SSL/TLS encrypted connection. By disabling ports 143 and 110, this removes completely STARTTLS as even an option for IMAP/POP connections.

SMTP STARTTLS as an exception

The one real exception to the above is SMTP. However that's for a different reason again. Most email software used SMTP on port 25 to submit messages to the email server for onward transmission to the destination. However, SMTP was originally designed for transfer, not submission. So yet another port (587) was defined for message submission. Although port 587 doesn't mandate requiring STARTTLS, the use of port 587 became popular around the same time as the realisation that SSL/TLS encryption of communications between clients and servers was an important security and privacy issue.

The result is that in most cases, systems that offer message submission over port 587 require clients to use STARTLS to upgrade the connection and also require a username and password to authenticate. There has been an added benefit to this approach as well. By moving users away from using port 25 for email submission, ISPs are now able to block outgoing port 25 connections from users' computers, which were a significant source of spam due to infection with spam-sending viruses.

Currently, things seem relatively randomly split between people using SMTP SSL/TLS encrypted over port 465, and people using SMTP with STARTTLS upgrading over port 587.

JavaMail APIs

1. JavaMail – via TLS

Send an Email via Gmail SMTP server using TLS connection.

package com.mkyong.common;

import java.util.Properties;

import javax.mail.Message;

import javax.mail.MessagingException;

import javax.mail.PasswordAuthentication;

import javax.mail.Session;

import javax.mail.Transport;

import javax.mail.internet.InternetAddress;

import javax.mail.internet.MimeMessage;

public class SendMailTLS {

    public static void main(String[] args) {

        final String username = "username@gmail.com";

        final String password = "password";

        Properties props = new Properties();

        props.put("mail.smtp.auth", "true");

        props.put("mail.smtp.starttls.enable", "true");

        props.put("mail.smtp.host", "smtp.gmail.com");

        props.put("mail.smtp.port", "587");

        Session session = Session.getInstance(props,

          new javax.mail.Authenticator() {

            protected PasswordAuthentication getPasswordAuthentication() {

                return new PasswordAuthentication(username, password);

            }

          });

        try {

            Message message = new MimeMessage(session);

            message.setFrom(new InternetAddress("from-email@gmail.com"));

            message.setRecipients(Message.RecipientType.TO,

                InternetAddress.parse("to-email@gmail.com"));

            message.setSubject("Testing Subject");

            message.setText("Dear Mail Crawler,"

                + "\n\n No spam to my email, please!");

            Transport.send(message);

            System.out.println("Done");

        } catch (MessagingException e) {

            throw new RuntimeException(e);

        }

    }

}

2. JavaMail – via SSL

Send an Email via Gmail SMTP server using SSL connection.

package com.mkyong.common;

import java.util.Properties;

import javax.mail.Message;

import javax.mail.MessagingException;

import javax.mail.PasswordAuthentication;

import javax.mail.Session;

import javax.mail.Transport;

import javax.mail.internet.InternetAddress;

import javax.mail.internet.MimeMessage;

public class SendMailSSL {

    public static void main(String[] args) {

        Properties props = new Properties();

        props.put("mail.smtp.host", "smtp.gmail.com");

        props.put("mail.smtp.socketFactory.port", "");

        props.put("mail.smtp.socketFactory.class",

                "javax.net.ssl.SSLSocketFactory");

        props.put("mail.smtp.auth", "true");

        props.put("mail.smtp.port", "");

        Session session = Session.getDefaultInstance(props,

            new javax.mail.Authenticator() {

                protected PasswordAuthentication getPasswordAuthentication() {

                    return new PasswordAuthentication("username","password");

                }

            });

        try {

            Message message = new MimeMessage(session);

            message.setFrom(new InternetAddress("from@no-spam.com"));

            message.setRecipients(Message.RecipientType.TO,

                    InternetAddress.parse("to@no-spam.com"));

            message.setSubject("Testing Subject");

            message.setText("Dear Mail Crawler," +

                    "\n\n No spam to my email, please!");

            Transport.send(message);

            System.out.println("Done");

        } catch (MessagingException e) {

            throw new RuntimeException(e);

        }

    }

}

References

http://www.mkyong.com/java/javamail-api-sending-email-via-gmail-smtp-example/

https://www.fastmail.com/help/technical/ssltlsstarttls.html

JavaMail: SSL vs TLS vs STARTTLS的更多相关文章

  1. 安全协议系列(四)----SSL与TLS

    当今社会,电子商务大行其道,作为网络安全 infrastructure 之一的 -- SSL/TLS 协议的重要性已不用多说.OpenSSL 则是基于该协议的目前应用最广泛的开源实现,其影响之大,以至 ...

  2. Fiddler如何抓取使用了SSL或TLS传输的Android App流量

    上篇文章介绍了Burpsuite如何抓取使用了SSL或TLS传输的Android App流量, 那么使用Fiddler的时候其实 也会出现与burpsuite同样的情况,解决方案同样是需要将Fiddl ...

  3. Burpsuite如何抓取使用了SSL或TLS传输的Android App流量

    一.问题分析 一般来说安卓的APP端测试分为两个部分,一个是对APK包层面的检测,如apk本身是否加壳.源代码本身是否有恶意内嵌广告等的测试,另一个就是通过在本地架设代理服务器来抓取app的包分析是否 ...

  4. SSL、TLS协议格式、HTTPS通信过程、RDP SSL通信过程(缺heartbeat)

    SSL.TLS协议格式.HTTPS通信过程.RDP SSL通信过程   相关学习资料 http://www.360doc.com/content/10/0602/08/1466362_30787868 ...

  5. 关于x509、crt、cer、key、csr、pem、der、ssl、tls 、openssl等

    关于x509.crt.cer.key.csr.pem.der.ssl.tls .openssl等 TLS:传输层安全协议 Transport Layer Security的缩写 TLS是传输层安全协议 ...

  6. Burpsuite如何抓取使用了SSL或TLS传输的 IOS App流量

    之前一篇文章介绍了Burpsuite如何抓取使用了SSL或TLS传输的Android App流量,那么IOS中APP如何抓取HTTPS流量呢, 套路基本上与android相同,唯一不同的是将证书导入i ...

  7. 小白日记53:kali渗透测试之Web渗透-SSL、TLS中间人攻击(SSLsplit,Mitmproxy,SSLstrip),拒绝服务攻击

    SSL.TLS中间人攻击 SSL中间人攻击 攻击者位于客户端和服务器通信链路中 利用方法: ARP地址欺骗 修改DHCP服务器 (存在就近原则) 手动修改网关 修改DNS设置 修改HOSTS文件[高于 ...

  8. SSL与TLS有什么区别

    SSL与TLS有什么区别(最全面的知识点都在这) 发布日期:2018-10-12SSL:(Secure Socket Layer,安全套接字层),位于可靠的面向连接的网络层协议和应用层协议之间的一种协 ...

  9. 浅谈HTTPS协议和SSL、TLS之间的区别与关系

    HTTP可能是我们见到过最多的一个字符串了,应该没有之一,而对于HTTPS到来和趋势,我们又开始看到SSL/TLS,所以对于一般不只做技术的人来说这或许还是一个疑问,那么子凡就趁最近在折腾这方面来给大 ...

随机推荐

  1. 阿里云yum源安装

      1.先清理掉yum.repos.d下面的所有repo文件 [root@localhost yum.repos.d]# rm -rf * 2.下载repo文件  wget http://mirror ...

  2. jquery基础

    show() hide() toggle()         fadeIn() fadeOut() fadeToggle() fadeTo()         slideUp() slideDown( ...

  3. 最新官方WIN10系统32位,64位系统ghost版下载

    系统来自:系统妈 随着Windows 10Build 10074 Insider Preview版发布,有理由相信,Win10离最终RTM阶段已经不远了.看来稍早前传闻的合作伙伴透露微软将在7月底正式 ...

  4. Linux之shell篇

    shell是用户与系统交互的界面,这是基本方式之一.标准的shell为bash. shell的操作: 显示所有使用过的命令:history. 执行最近执行过的一条指令:!!.首先会给出执行的是哪一条指 ...

  5. 数据库 数据库SQL语句三

    转换函数 to_char()字符串转换日期函数 --查询大于某个日期的员工信息 select * from emp where hiredate>to_date('1980-02-12','yy ...

  6. [LeetCode] Wiggle Sort II 摆动排序

    Given an unsorted array nums, reorder it such that nums[0] < nums[1] > nums[2] < nums[3]... ...

  7. [LeetCode] Jump Game II 跳跃游戏之二

    Given an array of non-negative integers, you are initially positioned at the first index of the arra ...

  8. GreenDao的使用

    1.生成代码文件

  9. HAProxy的日志配置以及ACL规则实现负载均衡

    HAProxy配置日志策略 默认情况下,HAProxy是没有配置日志的在centos6.3下默认管理日志的是rsyslog,可以实现UDP日志的接收,将日志写入文件,写入数据库先检测rsyslog是否 ...

  10. vue-Resource(与后端数据交互)

    单来说,vue-resource就像jQuery里的$.ajax,用来和后端交互数据的.可以放在created或者ready里面运行来获取或者更新数据... vue-resource文档:https: ...