TLS is one of today's most widely used and best-analyzed encryption technologies. However, for historical reasons, TLS for email protocols is often not used directly but negotiated via STARTTLS. This additional negotiation added complexity and was prone to security vulnerabilities such as naive STARTTLS stripping or command injection attacks in the past.

We performed the first structured analysis of STARTTLS in SMTP, POP3, and IMAP and introduced a semi-automatic testing toolkit (EAST) to analyze email clients. We used EAST to analyze 28 email clients and 23 email servers, resulting in over 40 STARTTLS related issues. Only 3 out of 28 clients and 7 out of 23 servers did not show any STARTTLS-specific security issues. We conclude that STARTTLS is error-prone to implement, under-specified in the standards, and should be avoided.