Point for discussion: STARTTLS rating

[drwetter]

Which version are you referring to?
3.2 and 3.3dev

Did you read the FAQ?
yup

A good friend of mine brought up a point for discussion: For STARTTLS services one should distinguish between active and passive threats. Active would be a MiTM scenario which maybe more difficult to obtain as it requires access to the network. Passive is just snooping and decoding. (comment: that also would require network access at the moment of recording but it can be decoded any time later).

I argued that the client side is not as strict as for browsers -- which ALWAYS tests certificates and has more control what goes over an unencrypted channel (mixed content is nowadays not an issue anymore). OTOH SMTP over port 25 e.g. has often preference to just deliver e-mails, independent whether the certificate is fine or even no TLS upgrade is offered. And there's an intrinsic problem with two layer communication (clear text + TLS) which led to security problems like Opossums or STARTTLS injection.

It was argued though that T is equal to missing trust and it was kind of unfair as one can just as well screw everything up on the server side. Point kind of taken.

As said however for STARTTLS the unknown part is how the client behaves. That is something we take for granted when testing the HTTP service when doing the rating. We can only roll the dice.

Suggestions off the top of my head:
a) we remove any rating for STARTTLS -- SSLlabs doesn't have that in the first place
b) we introduce a new a new rating category (like S for STARTTLS or M for MiTM required)
c) we use a letter like b) along with the rating when ignoring it's a client side problem -- resulting in AM , BS or better A/M or B/S (BS would appears a bit ambiguous though 😂)

What's your stance?