https://www.fastmail.com/help/technical/ssltlsstarttls.html

SSL vs TLS vs STARTTLS

There's often quite a bit of confusion around the different terms SSL, TLS and STARTTLS.

SSL and TLS both provide a way to encrypt a communication channel between two computers (e.g. your computer and our server). TLS is the successor to SSL and the terms SSL and TLS are used interchangeably unless you're referring to a specific version of the protocol.

STARTTLS is a way to take an existing insecure connection and upgrade it to a secure connection using SSL/TLS. Note that despite having TLS in the name, STARTTLS doesn't mean you have to use TLS, you can use SSL.

SSL/TLS version numbers

Version numbering is inconsistent between SSL and TLS versions. When TLS took over from SSL as the preferred protocol name, it began a new version number, and also began using sub-versions. So the ordering of protocols in terms of oldest to newest is: SSL v2, SSL v3, TLS v1.0, TLS v1.1, TLS v1.2, TLS v1.3 (currently proposed).

When you connect to an SSL/TLS encrypted port, or use STARTTLS to upgrade an existing connection, both sides will negotiate which protocol and which version to use based on what has been configured in the software and what each side supports.

Support for SSL/TLS is virtually universal these days, however which versions are supported is variable. SSL v2 was deprecated and phased out many years ago due to security issues. SSL v3 is currently deprecated due to security issues, and support has or is being phased out by most services these days. Almost all software supports TLS v1.0. As at October 2016, support for TLS v1.1 and TLS v1.2 is also very good, though there are some exceptions, mostly with Internet Explorer.

TLS vs STARTTLS naming problem

One significant complicating factor is that some email software incorrectly uses the term TLS when they should have used STARTTLS. Older versions of Thunderbird in particular used "TLS" to mean "enforce use of STARTTLS to upgrade the connection, and fail if STARTTLS is not supported" and "TLS, if available" to mean "use STARTTLS to upgrade the connection if the server advertises support for it, otherwise just use an insecure connection".

SSL/TLS vs plaintext/STARTTLS port numbers

The above is particularly problematic when combined with having to configure a port number for each protocol.

To add security to some existing protocols (e.g. IMAP, POP, etc.), it was decided to just add SSL/TLS encryption as a layer underneath the existing protocol. However, to distinguish that software should talk the SSL/TLS encrypted version of the protocol rather than the plaintext one, a different port number was used for each protocol. So you have:

  • IMAP uses port 143, but SSL/TLS encrypted IMAP uses port 993.
  • POP uses port 110, but SSL/TLS encrypted POP uses port 995.
  • SMTP uses port 25, but SSL/TLS encrypted SMTP uses port 465.

At some point, it was decided that having 2 ports for every protocol was wasteful, and instead you should have 1 port that starts off as plaintext, but the client can upgrade the connection to an SSL/TLS encrypted one. This is what STARTTLS was created to do.

There were a few problems with this though. There was already existing software that used the alternate port numbers with pure SSL/TLS connections. Client software can be very long lived, so you can't just disable the encrypted ports until all software has been upgraded.

Mechanisms were added to each protocol to tell clients that the plaintext protocol supported upgrading to SSL/TLS (i.e. STARTTLS), and that they should not attempt to log in without doing the STARTTLS upgrade. This created two unfortunate situations:

  1. Some software just ignored the "login disabled until upgraded"announcement and just tried to log in anyway, sending the username and password over plaintext. Even if the server then rejected the login, the details had already been sent over the Internet in plaintext.
  2. Other software saw the "login disabled until upgraded" announcement, but then wouldn't upgrade the connection automatically, and thus reported login errors back to the user, which caused confusion about what was wrong.

Both of these problems resulted in significant compatibility issues with existing clients, and so most system administrators continued to just use plaintext connections on one port number, and encrypted connections on a separate port number.

This has now basically become the de facto standard that everyone uses. IMAP SSL/TLS encrypted over port 993 or POP SSL/TLS encrypted over port 995. Many sites (including FastMail) now disable plain IMAP (port 143) and plain POP (port 110) altogether so people must use an SSL/TLS encrypted connection. By disabling ports 143 and 110, this removes completely STARTTLS as even an option for IMAP/POP connections.

SMTP STARTTLS as an exception

The one real exception to the above is SMTP. However that's for a different reason again. Most email software (known as a mail user agent) used SMTP on port 25 to submit messages to the email server for onward transmission to the destination (known as a mail transfer agent). However, SMTP was originally designed for transfer, not submission. So yet another port (587) was defined for message submission.

Although port 587 doesn't mandate requiring STARTTLS, the use of port 587 became popular around the same time as the realisation that SSL/TLS encryption of communications between clients and servers was an important security and privacy issue and encryption extensions were being defined for sMTP. So shortly after port 465 was defined, it was revoked with the expectation that clients would move to using STARTTLS over port 587

The result is that in most cases, systems that offer message submission over port 587require clients to use STARTLS to upgrade the connection and also require a username and password to authenticate. There has been an added benefit to this approach as well. By moving users away from using port 25 for email submission, ISPs are now able to block outgoing port 25 connections from users' computers, which were a significant source of spam due to infection with spam-sending viruses.

Unfortunately the downside of changing port numbers is that a number of email clients were made which only supported SSL/TLS over port 465 and not STARTTLS on 587. Clients are often very long lived, and so removing port 465 wasn't an option for many sites without annoying customers. Additionally, because port 465 was advertised as an option, many users with email clients that support both STARTTLS on 587 and SSL/TLS on 465 set them up to use 465 instead of 587. This makes it even harder to remove support for port 465, since lots of users have their email clients set up to use it.

Currently, things seem relatively randomly split between people using SMTP SSL/TLS encrypted over port 465, and people using SMTP with STARTTLS upgrading over port 587.

SSL & TLS & STARTTLS的更多相关文章

  1. [skill][https][ssl/tls] HTTPS相关知识汇总

    结论前置: A 身份验证 证书, 服务器证书 B 密钥协商 RSA   DHE / ECDHE   PSK C 加密通信 加密通信采用对称加密,使用B阶段协商出来的密钥. B 阶段如果使用 RSA 协 ...

  2. Netty入门(七)使用SSL/TLS加密Netty程序

    为了支持 SSL/TLS,Java 提供了 javax.net.ssl API 的类 SslContext 和 SslEngine 使它相对简单的实现解密和加密.Netty 利用该 API 实现了 C ...

  3. 【转载】python中利用smtplib发送邮件的3中方式 普通/ssl/tls

    #!/usr/bin/python # coding:utf- import smtplib from email.MIMEText import MIMEText from email.Utils ...

  4. Python3中发邮件emal(明文/SSL/TLS三种方式)

    #!/usr/bin/env python #-*- coding:utf-8 -*- #Author:lzd import smtplib from email.mime.text import M ...

  5. 协议森林17 我和你的悄悄话 (SSL/TLS协议)

    作者:Vamei 出处:http://www.cnblogs.com/vamei 转载请先与我联系. TLS名为传输层安全协议(Transport Layer Protocol),这个协议是一套加密的 ...

  6. Paypal开发中遇到请求被中止: 未能创建 SSL/TLS 安全通道及解决方案

    最近在基于ASP.NET上开发了Paypal支付平台,在ASP.NET开发的过程中没有遇到这个问题,但是引用到MVC开发模式中的时候就出现了"未能创建 SSL/TLS 安全通道及解决方案&q ...

  7. 聊聊HTTPS和SSL/TLS协议

    要说清楚 HTTPS 协议的实现原理,至少需要如下几个背景知识.1. 大致了解几个基本术语(HTTPS.SSL.TLS)的含义2. 大致了解 HTTP 和 TCP 的关系(尤其是“短连接”VS“长连接 ...

  8. 浅谈HTTPS和SSL/TLS协议的背景和基础

    相关背景知识要说清楚HTTPS协议的实现原理,至少要需要如下几个背景知识.大致了解几个基础术语(HTTPS.SSL.TLS)的含义大致了解HTTP和TCP的关系(尤其是"短连接"和 ...

  9. 在 ASP.NET MVC 中使用 HTTPS (SSL/TLS) -- 学习

    在 ASP.NET MVC 中使用 HTTPS (SSL/TLS) IS 7如何实现http重定向https HTTPS 升级指南

随机推荐

  1. R 语言 相关入门资料

    <R语言基础语法入门>: http://www.xueqing.tv/upload/april-training/day1/index.html#1

  2. MYSQL 分组合并函数

    From: http://blog.csdn.net/wwwyuanliang10000/article/details/27536175 MySQL中group_concat函数完整的语法如下:gr ...

  3. 纯CSS3实现牛奶般剔透的3D按钮特效

    今天我们要来看一款非常特别的纯CSS3 3D按钮,它的外观酷似纯白剔透的牛奶,点击按钮的时候还会出现一种很柔和的弹力效果.按钮按下时,按钮会轻轻的弹动一下,非常逼真.本文我们在观赏演示的同时,也将源代 ...

  4. python numpy 下载地址

    网上找了半天,终于把要安装的资料找到了.其他的不怎么全,就自己再次总结一下写.         我自己安装的是python 2.7.所以以下的东东都是针对2.7的软件. numpy :http://s ...

  5. asp.net操作cookie类,包含datatable批量存入cookie

    以下是类: public class CookieMgr { #region 快速储存Cookie /// <summary> /// 快速储存Cookie /// </summar ...

  6. JSTL的if...else项目小试

      最近在项目中有一个小的效果显示为:在前端,根据一个字段来判断是否弹出一个窗口. 具体需求为:单击表格中的课程名称链接,如果此课程已经被排课,那么就弹出排课窗口,如果未排课就弹出提示box. 具体的 ...

  7. UNIX环境编程学习笔记(25)——信号处理进阶学习之 sigaction 函数

    lienhua342014-11-05 sigaction 函数跟 signal 函数一样,用于设置信号处理函数.此函数是用于取代 UNIX 早期版本使用的 signal 函数.UNIX 早期版本的 ...

  8. 为npm设置代理

    npm全称为Node Packaged Modules.它是一个用于管理基于node.js编写的package的命令行工具.其本身就是基于node.js写的,这有点像gem与ruby的关系. 在我们的 ...

  9. mongodb:修改oplog.rs 的大小size

    其内容字段说明: ts:操作日志的timestamp t: 未知? h:操作唯一随机值 v:oplog.rs的版本 op:操作类型: i:insert操作 u:update操作 d:delete操作 ...

  10. geoserver 数据图层输出格式

    1.WMS服务请求参数 一般WMS的请求地址如下: http://localhost:8080/geoserver/topp/wms?service=WMS&versi on=1.1.0&am ...