ietf-smtp
[Top] [All Lists]

Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implicit TLS Proposal

2019-01-08 17:33:51

If starttls is subject to a downgrade attack, what prevents the same attack
against the same pair of hosts attempting smtps instead?


A snippet from my proposal.

Whoever opt for "SMTPS (Implicit TLS)" must also make sure that they have
"Opportunistic TLS" with valid SSL certificate on port 25. Thus the client
can decide either speak securely or don't speak at all.

On Tue, Jan 8, 2019 at 10:53 PM <valdis(_dot_)kletnieks(_at_)vt(_dot_)edu> 
wrote:

On Tue, 08 Jan 2019 22:07:49 +0530, Viruthagiri Thirumavalavan said:
smtps protects everything from top to bottom like https. In opportunistic
encryption, the conversation get started as plain text and gets upgraded
to
a secure connection when the sever presents an opportunity.

Why do you wanna combine both?

It would be a useful exercise to go through and enumerate the exact
difference
between the protection provided by smtps that starttls doesn't provide.

Hint: If starttls is subject to a downgrade attack, what prevents the same
attack
against the same pair of hosts attempting smtps instead?



-- 
Best Regards,

Viruthagiri Thirumavalavan
Dombox, Inc.
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp
<Prev in Thread] Current Thread [Next in Thread>