Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields

ietf-822

Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15

2008-07-23 21:30:31


Tony Finch wrote:

Of course MUAs should just use the protocol's negotiation features to
auto-configure the most secure settings possible.

strongly disagree. the problem is that when you try to negotiate themost secure settings possible, you often create a way for thenegotiation to be dumbed down by an attacker to the least secure settingpossible.

e.g. for an MUA that tries first to use an "SSL port" and if that fails,tries to use the normal port without SSL (and sending the password incleartext) all the attacker has to do is arrange for the client to seean ICMP port unreachable packet or TCP RST at the right time, afterwhich the client will happily send the user's password in cleartext.


Keith

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15, (continued) Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15, Keith Moore Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15, Lisa Dusseault Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15, Dave Crocker Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15, Michael Welzl Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15, Hector Santos Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15, Keith Moore Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15, Michael Welzl Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15, Tony Finch Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15, Hector Santos Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15, Keith Moore Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15, Keith Moore <= Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15, Tony Finch Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15, Keith Moore Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15, Tony Finch Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15, Keith Moore MUA auto-configuration, was Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15, Tony Finch Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15, Michael Welzl Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15, Charles Lindsey Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15, Jeff Macdonald Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15, Michael Welzl Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15, Hector Santos

Previous by Date:	Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15, Keith Moore
Next by Date:	Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15, Tony Finch
Previous by Thread:	Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15, Keith Moore
Next by Thread:	Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15, Tony Finch
Indexes:	[Date] [Thread] [Top] [All Lists]