SSL vs TLS vs STARTTLS

There's often quite a bit of confusion around the different terms SSLTLS and STARTTLS.

SSL and TLS both provide a way to encrypt a communication channel between two computers (e.g. your computer and our server). TLS is the successor to SSL and the terms SSL and TLS are used interchangeably unless you're referring to a specific version of the protocol.

STARTTLS is a way to take an existing insecure connection and upgrade it to a secure connection using SSL/TLS. Note that despite having TLS in the name, STARTTLS doesn't mean you have to use TLS, you can use SSL.

SSL/TLS version numbers

Version numbering is inconsistent between SSL and TLS versions. When TLS took over from SSL as the preferred protocol name, it began a new version number, and also began using sub-versions. So the ordering of protocols in terms of oldest to newest is: SSL v2, SSL v3, TLS v1.0, TLS v1.1, TLS v1.2.

When you connect to an SSL/TLS encrypted port, or use STARTTLS to upgrade an existing connection, both sides will negotiate which protocol and which version to use based on what has been configured in the software and what each side supports.

Support for SSL/TLS is virtually universal these days, however which versions are supported is variable. Pretty much everything supports SSL v3 (except a few very old Palm Treo devicesas we discovered). Most things support TLS v1.0. As at May 2012, support for TLS v1.1 and TLS v1.2 is more limited.

TLS vs STARTTLS naming problem

One significant complicating factor is that some email software incorrectly uses the term TLS when they should have used STARTTLS. Older versions of Thunderbird in particular used "TLS" to mean "enforce use of STARTTLS to upgrade the connection, and fail if STARTTLS is not supported" and "TLS, if available" to mean "use STARTTLS to upgrade the connection if the server advertises support for it, otherwise just use an insecure connection".

SSL/TLS vs plaintext/STARTTLS port numbers

The above is particularly problematic when combined with having to configure a port number for each protocol.

To add security to some existing protocols (e.g. IMAP, POP, etc.), it was decided to just add SSL/TLS encryption as a layer underneath the existing protocol. However, to distinguish that software should talk the SSL/TLS encrypted version of the protocol rather than the plaintext one, a different port number was used for each protocol. So you have:

  • IMAP uses port 143, but SSL/TLS encrypted IMAP uses port 993.
  • POP uses port 110, but SSL/TLS encrypted POP uses port 995.
  • SMTP uses port 25, but SSL/TLS encrypted SMTP uses port 465.

At some point, it was decided that having 2 ports for every protocol was wasteful, and instead you should have 1 port that starts off as plaintext, but the client can upgrade the connection to an SSL/TLS encrypted one. This is what STARTTLS was created to do.

There were a few problems with this though. There was already existing software that used the alternate port numbers with pure SSL/TLS connections. Client software can be very long lived, so you can't just disable the encrypted ports until all software has been upgraded.

Mechanisms were added to each protocol to tell clients that the plaintext protocol supported upgrading to SSL/TLS (i.e. STARTTLS), and that they should not attempt to log in without doing the STARTTLS upgrade. This created two unfortunate situations:

  1. Some software just ignored the "login disabled until upgraded"announcement and just tried to log in anyway, sending the username and password over plaintext. Even if the server then rejected the login, the details had already been sent over the Internet in plaintext.
  2. Other software saw the "login disabled until upgraded" announcement, but then wouldn't upgrade the connection automatically, and thus reported login errors back to the user, which caused confusion about what was wrong.

Both of these problems resulted in significant compatibility issues with existing clients, and so most system administrators continued to just use plaintext connections on one port number, and encrypted connections on a separate port number.

This has now basically become the de facto standard that everyone uses. IMAP SSL/TLS encrypted over port 993 or POP SSL/TLS encrypted over port 995. Many sites (including FastMail) now disable plain IMAP (port 143) and plain POP (port 110) altogether so people must use an SSL/TLS encrypted connection. By disabling ports 143 and 110, this removes completely STARTTLS as even an option for IMAP/POP connections.

SMTP STARTTLS as an exception

The one real exception to the above is SMTP. However that's for a different reason again. Most email software used SMTP on port 25 to submit messages to the email server for onward transmission to the destination. However, SMTP was originally designed for transfer, not submission. So yet another port (587) was defined for message submission. Although port 587 doesn't mandate requiring STARTTLS, the use of port 587 became popular around the same time as the realisation that SSL/TLS encryption of communications between clients and servers was an important security and privacy issue.

The result is that in most cases, systems that offer message submission over port 587 require clients to use STARTLS to upgrade the connection and also require a username and password to authenticate. There has been an added benefit to this approach as well. By moving users away from using port 25 for email submission, ISPs are now able to block outgoing port 25 connections from users' computers, which were a significant source of spam due to infection with spam-sending viruses.

Currently, things seem relatively randomly split between people using SMTP SSL/TLS encrypted over port 465, and people using SMTP with STARTTLS upgrading over port 587.

JavaMail APIs

1. JavaMail – via TLS

Send an Email via Gmail SMTP server using TLS connection.

package com.mkyong.common;

import java.util.Properties;

import javax.mail.Message;

import javax.mail.MessagingException;

import javax.mail.PasswordAuthentication;

import javax.mail.Session;

import javax.mail.Transport;

import javax.mail.internet.InternetAddress;

import javax.mail.internet.MimeMessage;

public class SendMailTLS {

    public static void main(String[] args) {

        final String username = "username@gmail.com";

        final String password = "password";

        Properties props = new Properties();

        props.put("mail.smtp.auth", "true");

        props.put("mail.smtp.starttls.enable", "true");

        props.put("mail.smtp.host", "smtp.gmail.com");

        props.put("mail.smtp.port", "587");

        Session session = Session.getInstance(props,

          new javax.mail.Authenticator() {

            protected PasswordAuthentication getPasswordAuthentication() {

                return new PasswordAuthentication(username, password);

            }

          });

        try {

            Message message = new MimeMessage(session);

            message.setFrom(new InternetAddress("from-email@gmail.com"));

            message.setRecipients(Message.RecipientType.TO,

                InternetAddress.parse("to-email@gmail.com"));

            message.setSubject("Testing Subject");

            message.setText("Dear Mail Crawler,"

                + "\n\n No spam to my email, please!");

            Transport.send(message);

            System.out.println("Done");

        } catch (MessagingException e) {

            throw new RuntimeException(e);

        }

    }

}

2. JavaMail – via SSL

Send an Email via Gmail SMTP server using SSL connection.

package com.mkyong.common;

import java.util.Properties;

import javax.mail.Message;

import javax.mail.MessagingException;

import javax.mail.PasswordAuthentication;

import javax.mail.Session;

import javax.mail.Transport;

import javax.mail.internet.InternetAddress;

import javax.mail.internet.MimeMessage;

public class SendMailSSL {

    public static void main(String[] args) {

        Properties props = new Properties();

        props.put("mail.smtp.host", "smtp.gmail.com");

        props.put("mail.smtp.socketFactory.port", "");

        props.put("mail.smtp.socketFactory.class",

                "javax.net.ssl.SSLSocketFactory");

        props.put("mail.smtp.auth", "true");

        props.put("mail.smtp.port", "");

        Session session = Session.getDefaultInstance(props,

            new javax.mail.Authenticator() {

                protected PasswordAuthentication getPasswordAuthentication() {

                    return new PasswordAuthentication("username","password");

                }

            });

        try {

            Message message = new MimeMessage(session);

            message.setFrom(new InternetAddress("from@no-spam.com"));

            message.setRecipients(Message.RecipientType.TO,

                    InternetAddress.parse("to@no-spam.com"));

            message.setSubject("Testing Subject");

            message.setText("Dear Mail Crawler," +

                    "\n\n No spam to my email, please!");

            Transport.send(message);

            System.out.println("Done");

        } catch (MessagingException e) {

            throw new RuntimeException(e);

        }

    }

}

References

http://www.mkyong.com/java/javamail-api-sending-email-via-gmail-smtp-example/

https://www.fastmail.com/help/technical/ssltlsstarttls.html

JavaMail: SSL vs TLS vs STARTTLS的更多相关文章

  1. 安全协议系列(四)----SSL与TLS

    当今社会,电子商务大行其道,作为网络安全 infrastructure 之一的 -- SSL/TLS 协议的重要性已不用多说.OpenSSL 则是基于该协议的目前应用最广泛的开源实现,其影响之大,以至 ...

  2. Fiddler如何抓取使用了SSL或TLS传输的Android App流量

    上篇文章介绍了Burpsuite如何抓取使用了SSL或TLS传输的Android App流量, 那么使用Fiddler的时候其实 也会出现与burpsuite同样的情况,解决方案同样是需要将Fiddl ...

  3. Burpsuite如何抓取使用了SSL或TLS传输的Android App流量

    一.问题分析 一般来说安卓的APP端测试分为两个部分,一个是对APK包层面的检测,如apk本身是否加壳.源代码本身是否有恶意内嵌广告等的测试,另一个就是通过在本地架设代理服务器来抓取app的包分析是否 ...

  4. SSL、TLS协议格式、HTTPS通信过程、RDP SSL通信过程(缺heartbeat)

    SSL.TLS协议格式.HTTPS通信过程.RDP SSL通信过程   相关学习资料 http://www.360doc.com/content/10/0602/08/1466362_30787868 ...

  5. 关于x509、crt、cer、key、csr、pem、der、ssl、tls 、openssl等

    关于x509.crt.cer.key.csr.pem.der.ssl.tls .openssl等 TLS:传输层安全协议 Transport Layer Security的缩写 TLS是传输层安全协议 ...

  6. Burpsuite如何抓取使用了SSL或TLS传输的 IOS App流量

    之前一篇文章介绍了Burpsuite如何抓取使用了SSL或TLS传输的Android App流量,那么IOS中APP如何抓取HTTPS流量呢, 套路基本上与android相同,唯一不同的是将证书导入i ...

  7. 小白日记53:kali渗透测试之Web渗透-SSL、TLS中间人攻击(SSLsplit,Mitmproxy,SSLstrip),拒绝服务攻击

    SSL.TLS中间人攻击 SSL中间人攻击 攻击者位于客户端和服务器通信链路中 利用方法: ARP地址欺骗 修改DHCP服务器 (存在就近原则) 手动修改网关 修改DNS设置 修改HOSTS文件[高于 ...

  8. SSL与TLS有什么区别

    SSL与TLS有什么区别(最全面的知识点都在这) 发布日期:2018-10-12SSL:(Secure Socket Layer,安全套接字层),位于可靠的面向连接的网络层协议和应用层协议之间的一种协 ...

  9. 浅谈HTTPS协议和SSL、TLS之间的区别与关系

    HTTP可能是我们见到过最多的一个字符串了,应该没有之一,而对于HTTPS到来和趋势,我们又开始看到SSL/TLS,所以对于一般不只做技术的人来说这或许还是一个疑问,那么子凡就趁最近在折腾这方面来给大 ...

随机推荐

  1. js判断用户是否正在滚动滚动条,滚动条滚动是否停止

    js智能判断是否可以自动滚动 比如,做一个音乐播放器,边播放,边定位歌词,播放的时候,需要自动定位到播放语句,但是用户去拖动或者滚动div(歌词面板)时,这时就必须停止自动滚动,或者说是不能自动滚动, ...

  2. 使用DFA做文本编辑器的自动提示

    之前看龙书的时候,龙书提到可以在编译器里用动态的生成的NFA自动机来动态匹配自己的输入串,NFA的简单实现其实写起来非常简单,但是我是实际凭感觉写完之后,却觉得并不是非常的好用,在处理自己已经输入过的 ...

  3. 字符串编辑距离(Levenshtein距离)算法

    基本介绍 Levenshtein距离是一种计算两个字符串间的差异程度的字符串度量(string metric).我们可以认为Levenshtein距离就是从一个字符串修改到另一个字符串时,其中编辑单个 ...

  4. Linux文本查看及处理.md

    cat cat命令的用途是连接文件或标准输入并打印.这个命令常用来显示文件内容,或者将几个文件连接起来显示,或者从标准输入读取内容并显示,它常与重定向符号配合使用. 主要功能 一次显示整个文件:cat ...

  5. mac下搭建redis环境

    一.redis简介 redis是一个key-value存储系统.和Memcached类似,它支持存储的value类型相对更多,包括string(字符串).list(链表).set(集合)和zset(有 ...

  6. codevs 2597 团伙

    时间限制: 1 s  空间限制: 128000 KB  题目等级 : 黄金 Gold 题目描述 Description 1920年的芝加哥,出现了一群强盗.如果两个强盗遇上了,那么他们要么是朋友,要么 ...

  7. 怎样简单灵活地将DataTable中的数据赋值给model

    最近在做的一个项目中,有13个方法都需要用到同一种处理方式:通过SQL语句从数据库获取一条指定的数据,并将该数据中的每个值都赋值给一个model,再将这个model中的数据通过微信发送出去.每个方法都 ...

  8. Go语言常用命令介绍

    go build go build 命令主要是用于测试编译.在包的编译过程中,若有必要,会同时编译与之相关联的包. 如果是普通包,当你执行go build命令后,不会产生任何文件. 如果是main包, ...

  9. Android ListView上拉获取下一页

    关于ListView上拉刷新的需求很多,实现方式也多种多样. 一般是简单的通过一个page变量来控制当前请求的页数,然后上拉的时候就发送请求. 实现出来后,经过测试哥的折腾,发现有诸多细节没有处理好, ...

  10. 【USACO 3.2】Stringsobits (dp)

    题意:求第k大的最多有l个1的n位二进制. 题解:dp[i][j]表示长度为i最多有j个1的二进制有多少种,则有: 状态转移:dp[i][j]=dp[i-1][j]+dp[i-1][j-1],即第i位 ...