From Wikipedia, the free encyclopedia - View original article
STARTTLS is an extension to plain text communication protocols, which offers a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection instead of using a separate port for encrypted communication.
TLS is application-neutral; in the words of RFC 5246
The style used to specify how to use TLS matches the same layer distinction that is also conveniently supported by several library implementations of TLS. E.g., the RFC 3207 SMTP extension illustrates with the following dialog how a client and server can start a secure session:
S: <waits for connection on TCP port 25> C: <opens connection> S: 220 mail.example.org ESMTP service ready C: EHLO client.example.org S: 250-mail.example.org offers a warm hug of welcome S: 250 STARTTLS C: STARTTLS S: 220 Go ahead C: <starts TLS negotiation> C & S: <negotiate a TLS session> C & S: <check result of negotiation> C: EHLO client.example.org . . .
The last EHLO command above is issued over a secure channel. Note that authentication is optional in SMTP, and the omitted server reply may now safely advertise an AUTH PLAIN SMTP extension, which is not present in the plain-text reply.
Before STARTTLS was well established, a number of TCP ports were defined for SSL-secured versions of well-known servers. These establish secure communications and then present a communication stream identical to the old un-encrypted protocol. These are no longer recommended, since STARTTLS makes more efficient use of scarce port numbers and allows simpler device configuration. On the other hand, SSL ports have the advantage of fewer round-trips; also less meta-data is transmitted in unencrypted form. Some examples include:
|Protocol||Purpose||Normal port||SSL variant||SSL port|
|SMTP||Send email||25/587||SMTPS||465 (legacy)|
Following the revelations made by Edward Snowden in light of the global, mass surveillance scandal, popular email providers have bettered their email security by enabling STARTTLS. Facebook reported that after enabling STARTTLS and encouraging other providers to do the same, 95% of Facebook's outbound email is encrypted with both Perfect Forward Secrecy and strict certificate validation.
|This Internet-related article is a stub. You can help Wikipedia by expanding it.|