Some businesses running their own email servers are faced with a choice to either upgrade their level of encryption to meet Apple Inc.’s new standards, or use none whatsoever.
After upgrading in-house Apple hardware to OS X 10.4.4 and iOS 8.4.4 last month, many businesses relying on their own email servers using the SMTP protocol suddenly found themselves without the capability to send a message from their iPhones and Macs. In threads detailed on Apple’s support forum, users describe receiving error messages effectively telling them that communications with their server were cut off. The problem is unique to the new version of iOS and OS X and is related to Apple’s efforts to a recently discovered security vulnerability known as “Logjam.”
Logjam is a vulnerability discovered by a group of security researchers in May. It “allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export -grade cryptography,” the group explains on weakdh.org. “This allows the attacker to read and modify any data passed over the connection.”
In other words, hackers could trick your server into using weaker encryption standards that they know how to crack and steal information. To fix the problem, Apple is requiring that servers use higher-grade encryption standards to receive connections from their products. Specifically, Apple wants administrators to use a group size of 2048 bits or more when using the Diff-Hellman key exchange encryption protocol. The company issued a support statement with the advice on July 1.
But those who hadn’t met Apple’s standards for encryption found that just turning it off altogether was the only workaround to get email to work. According to one forum user, email provider Easyspace suggested its clients disable SSL for their outgoing messages, leaving them unencrypted altogether.
Ian Morrison, operator of Toronto-based web services firm Nuclear Media passed on advice from a thread in Apple’s support forums to his clients, but recommended against upgrading Apple devices rather than resort to turning off SSL.
“Encryption is paramount, as users place an increasing amount of trust in the technology they use,” he says. “They trust the systems that are designed to keep their messages private, just as they trust a mail carrier not to open their packages.”
SSL is an encryption solution applied to many web-based communications, including email sent via SMTP protocol. Since SMTP was designed decades ago before communications were sent over public WiFi, it doesn’t have encryption built into it.
Sending email without it would be a “step back,” says Claudiu Popa, founder of Informatica Security. But administrators should ensure encryption is put in place at every step of the communications flow.
“In the absence of full cycle encryption, such a confidentiality control as SSL offers little more than a false sense of security,” he says.
Administrators of email servers can also prevent their servers from accepting unencrytped connections, which would prevent the workaround suggested in the forum.