On Mon, Aug 18, 2014 at 08:15:49AM -0600, Aaron Toponce wrote: > On Mon, Aug 18, 2014 at 09:59:33AM -0400, Mark H. Wood wrote: > > Perhaps it would be a start if sites providing SMTP would turn on > > STARTTLS. > > STARTTLS does not encrypt mail. It only provides safe passage over the > network.
Sure, it does encrypt mail. My SMTP has mail from me to deliver. It contacts an SMTP that it thinks can get the mail closer to its addressee. My SMTP sends STARTTLS, the receiving SMTP agrees, they handshake, and the rest of the session, including MAIL FROM, RCPT TO, and my mailgram following the DATA, is encrypted over the wire. > It is also client/server encrypted and decrypted. Thus, an administrator with > root at an SMTP server can view the mail once the mail transfer is decrypted. As is often said here, "what's your threat model?" Keeping nonprivileged people out of the transaction is worthwhile, if I am worried about mail being spied on in transit. STARTTLS greatly reduces the number of parties who could just read email metadata if they have access to the wire. Sysadmin.s take a risk if they are prying into the mail spool -- they could be discovered. Governments, too, may judge that the cost of exposure of such activity is worth more than the advantage of doing it. But I wouldn't depend solely on STARTTLS for securing email any more than I am satisfied to depend solely on encrypting the message body with OpenPGP or similar means. I believe in making the bad guys take as much time, create as much mess, and make as much noise as I can compel. It costs almost nothing to make as much trouble as possible for snoopers, and it's interesting work, so why not do it? > Also, many big mail vendors have already enabled SSL/TLS/STARTTLS, such as > Google, Yahoo, and Microsoft. You mean those webmail thingies that I never use? There's so much we don't know about their security practices that I wasn't even thinking about such services. My remark was focused on the scenario above: there is a local MUA, a local MTA and a remote MTA. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu
signature.asc
Description: Digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
