Abstract:
TLS is a widely adopted protocol for securing data transmission at the transport layer. In the realm of e-mail protocols, such as SMTP, IMAP, and POP3, TLS is not always directly applied. Instead, TLS is often negotiated via a STARTTLS command, which triggers the TLS handshake. During the handshake, the parties involved establish a shared secret that forms the basis for secure data exchange. Recognizing that the repetitive execution of the TLS handshake contributes to high connection latency, session resumption mechanisms have been introduced as a viable solution. They allow both parties to reuse secrets from a previous session. A well-known session resumption mechanism involves session tickets. After the secret has been established, the server encrypts session information including the secret with a Session Ticket Encryption Key (STEK). This encrypted information forms a ticket that the client receives from the server, stores and presents for future resumptions. To preserve the security of TLS sessions, the STEK must only be known to the server. The compromise or prediction of the STEK presents a severe security risk, as an attacker could passively record and decrypt TLS sessions. This motivates us to introduce various potential security vulnerabilities in the processing of session tickets in e-mail servers. Next, we identify email servers in the wild based on the Tranco ranking list of one million domains. We then perform a large-scale scan of the identified servers for the vulnerabilities presented. Finally, we present the scan results and provide a brief comparative analysis with the outcomes observed for the HTTPS protocol.