M3AAWG Recommends TLS

SSL or Secure Sockets Layer is protocol designed to provide a secure way of transmitting information between computer systems. Originally created by Netscape and released publicly as SSLv2 in 1995 and updated to SSLv3 in 1996. TLS or Transport Layer Security was created in 1999 as a replacement for SSLv3. TLS and SSL are most commonly used to create a secure (encrypted) connection between your web browser and websites so that you can transmit sensitive information like login credentials, passwords, and credit card numbers.
M3AAWG published a initial recommendation that urges the disabling of all versions of SSL. It has been a rough year for encryption security, first with Heartbleed vulnerability with the OpenSSL library, and again with POODLE which stands for “Padding Oracle on Downgraded Legacy Encryption” that was discovered by Google security researchers in October of 2014. On December 8, 2014 it was reported that TLS implementations are also vulnerable to POODLE attack, however unlike SSLv3, TLS can be patched where as SSL 3.0 has a fundamental issue with the protocol.

Due to a number of known security issues with SSLv2 and SSLv3, M3AAWG urges the industry to disable all versions of SSL.

M3AAWG are not the only ones calling to leave SSL behind, Firefox disabled all versions of SSL in Firefox 34, Microsoft will disable fallback to SSL 3 in IE11 starting in February 2015 and Apple’s Safari OSX 10.8 and iOS 8.1 have removed all support for SSLv3.
As more mailbox providers enable TLS encryption, it will protect emails in transit from eavesdropping. M3AAWG recommends starting with TLS version 1.2 for mail servers.

Related Posts

Google's Inbox Team answers questions on Reddit

The team behind Google’s new Inbox app did an “Ask us Anything” Q&A with reddit on December 3rd. The team consisted of a Product Manager, Designer, and Software Engineer and for two hours the team answered all sorts of questions.
Most of the questions were about new features or supporting additional email providers and it showed just how new this app is, it’s not quite ready to be your primary email client as Inbox only supports personal Gmail accounts. The Inbox team mentions they are working on supporting additional mail providers but does not give a timeline of when that would be available.
For email marketers, Google Inbox shares the same HTML sanitizer and media queries that Gmail does and when asked about email filtering it was mentioned that the direct marketing community would benefit by having a place for their emails within the Promos tab. They describe the Promo tab as

Read More

Ironport response

Last week I posted about a ESP that had a misconfiguration in their Ironport A60s that let spammers use the A60s to relay email to AOL. Earlier this week, Pat Peterson from Ironport approached me to talk about the problem and clarify what happened.
Ironport has provided me with the following explanation.

Read More

M3AAWG Boston

The tri-annual procession of Facebook friends and colleagues to a disclosed location to talk about messaging, abuse and prevention started over the weekend.  For me, this M³AAWG conference marks the beginning of a new chapter. We’re hiring, and even before the conference officially started I’ve had some productive conversations with people about what we’re looking for and how we see the company growing. M³AAWG is always a little like a reunion. I’ve been working with some of the people present for more than a dozen years, and some I’ve known for even longer. The conference is work, they mean the “working group” part of their name, but it’s also a time to create and maintain the community that keeps our online messaging from being overwhelmed. If you’re here, drop by and say hi (and don’t forget to visit my session on Thursday afternoon)! Otherwise, watch this space as I share what insights I can about the information presented.

Read More