ietf-smtp
[Top] [All Lists]

Re: [ietf-smtp] guidance on how to secure against sniffing and paid backdoors

2013-09-18 20:01:31
On Wed, Sep 18, 2013 at 03:32:17PM +0100, Paul Smith wrote:
On 18/09/2013 15:11, keld(_at_)keldix(_dot_)com wrote:
The problems to solve are known for a long time, snooping on lines. 
We can rebuild a part of the internet in a safer version. To have a 
chance to make some impact, I believe it is necesary to build safer 
defaults into major MTAs like postfix and sendmail.

My concern is that while something like TLS will have an effect on 
criminals snooping on wireless networks etc, I can't see how it would 
definitely help against governments.

The issue is - how do I know that the mail server I am sending the 
message to is the one I should be sending the message to? If I don't 
know that with a good degree of certainty, then using TLS won't achieve 
security, because I could simply be dumping my messages on a compromised 
server.

Yes, and that could even be done with plain SMTP.
Come on, TLS would be safer than plain unencrypted SMTP.

But you are right, we cannot be sure we are talking to the right server.
Governments have lots of ressources, and even for big countries it is 
feasible to set up fake servers for every SMTP server in the country.

DNS, IP addresses and certificates could all be subverted by a 
government at a 'choke point' such as an international link. Even if I 
knew for certain that '123.123.123.123' was the IP address I should be 
talking to (which is unlikely), it would be trivial for a router at a 
choke point to redirect that IP address to another machine instead of 
the one it was supposed to go to. If I am allowed to validate 
certificates (which is currently doubtful), then I'd have a bit more 
certainty, but, to be honest, can I trust that a CA won't issue fake 
certificates to a government?

There are friends out there. Eg CAcert. Good certificates are an orthogonal 
issue.
We can migrate SMTP to TLS, and we can at the same time one by one
get bad certificates replaced with good ones.
We can advise how to get good certificates too.

Yes, use TLS where you can - it won't do any harm, and is better than 
not using TLS - but don't expect it to do anything significant to stop a 
government from snooping if it wants to, except with pre-known 
certificate fingerprints. I'd be reluctant to risk breaking 
interoperability to force TLS usage, because of the dubious benefit.

Agreed, We cannot trust a big part of the internet, and we should not
break the interoperability we have now. But TLS would not do any harm, and it 
could
improve security in some areas of the world.

best regards
Keld
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp

<Prev in Thread] Current Thread [Next in Thread>