Patrick Lists schreef op 2013-09-12 09:23:
Hi Noel,
On 09/12/2013 08:54 AM, Noel Butler wrote:
[snip]
I'm always of the belief that if one person wants a feature, they
might
be the only vocal person, but they are never really alone, so post
your
patch, Timo can only either pull it in, or decline it, as for its
useful
for others, only time will tell, but not even god will help those who
use it on a commercial network with paying customers - thats just
plain
professional suicide.
Unless it was clearly stated what the requirements are when they sign
up. With NIST sleeping at the helm and the NSA having a field day it
would not surprise me if businesses understand the importance of
stronger encryption.
Why not turn it around? Why not tell the paying customer he is using an
unencrypted connection or with options that are insecure. Parse the
logfiles and make an additional section on the website where he/she can
see from where he/she had a successful login and the security level?
Make it red for unencrypted, orange/amber for insecure and green for a
"secure" connection. Most people like to have everything in the green
and you give them a choice what to do. Also the cost is almost nothing
for doing this. You could even make it a service for companies who get a
weekly/monthly PDF with an overview.
For now only Dovecot tells if it is a TLS-connection or not. Postfix for
example already tells if it is TLSv1 connection and the cipher. If this
could be extended then sysadmins have a way to make a decision about the
path to follow or to advise to management.
Hans
