On Wed, Sep 18, 2013 at 03:32:17PM +0100, Paul Smith wrote:
On 18/09/2013 15:11, keld(_at_)keldix(_dot_)com wrote:
The problems to solve are known for a long time, snooping on lines.
We can rebuild a part of the internet in a safer version. To have a
chance to make some impact, I believe it is necesary to build safer
defaults into major MTAs like postfix and sendmail.
My concern is that while something like TLS will have an effect on
criminals snooping on wireless networks etc, I can't see how it would
definitely help against governments.
The issue is - how do I know that the mail server I am sending the
message to is the one I should be sending the message to? If I don't
know that with a good degree of certainty, then using TLS won't achieve
security, because I could simply be dumping my messages on a compromised
server.
Yes, and that could even be done with plain SMTP.
Come on, TLS would be safer than plain unencrypted SMTP.
But you are right, we cannot be sure we are talking to the right server.
Governments have lots of ressources, and even for big countries it is
feasible to set up fake servers for every SMTP server in the country.
DNS, IP addresses and certificates could all be subverted by a
government at a 'choke point' such as an international link. Even if I
knew for certain that '123.123.123.123' was the IP address I should be
talking to (which is unlikely), it would be trivial for a router at a
choke point to redirect that IP address to another machine instead of
the one it was supposed to go to. If I am allowed to validate
certificates (which is currently doubtful), then I'd have a bit more
certainty, but, to be honest, can I trust that a CA won't issue fake
certificates to a government?
There are friends out there. Eg CAcert. Good certificates are an orthogonal
issue.
We can migrate SMTP to TLS, and we can at the same time one by one
get bad certificates replaced with good ones.
We can advise how to get good certificates too.
Yes, use TLS where you can - it won't do any harm, and is better than
not using TLS - but don't expect it to do anything significant to stop a
government from snooping if it wants to, except with pre-known
certificate fingerprints. I'd be reluctant to risk breaking
interoperability to force TLS usage, because of the dubious benefit.
Agreed, We cannot trust a big part of the internet, and we should not
break the interoperability we have now. But TLS would not do any harm, and it
could
improve security in some areas of the world.
best regards
Keld
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp