[Cialug] Dumb. Dumb Security.
Nicolai
nicolai-cialug at chocolatine.org
Mon Aug 20 17:20:45 CDT 2012
On Mon, Aug 20, 2012 at 03:44:11PM -0500, Todd Walton wrote:
> "Given the ubiquity of encrypted email we've not spent the time to
> offer finer control of email preferences.
The Postfix documentation disagrees:
"Despite the potential for eliminating "man-in-the-middle" and
other attacks, mandatory secure server certificate
verification is not viable as a default Internet mail delivery
policy. Most MX hosts do not support TLS at all, and a
significant portion of TLS enabled MTAs use self-signed
certificates, or certificates that are signed by a private
certificate authority."
http://www.postfix.org/TLS_README.html
(Nevermind rampant security problems in OpenSSL!)
A few months ago there was a thread on the mailop list about SSL/TLS
versions seen in mail service, and 4 people posted breakdowns showing
enough mail to suggest a wide variety of mail traffic. Of those 4, 2
reported 10-12% of outbound mail (thus not affected by spambots) to use
SSL/TLS. Another reported 24% and the last 60%, which seems high.
So yeah, not many receivers can accept mail over SSL/TLS, and many of
those who do use self-signed certs. So again, this is funny:
> "Given the ubiquity of encrypted email we've not spent the time to
> offer finer control of email preferences.
Ubiquity... they don't know what they're talking about.
Nicolai
More information about the Cialug
mailing list