Dňa 23. októbra 2023 10:26:57 UTC používateľ Jaroslaw Rafa via mailop <mailop@mailop.org> napísal:
>However, all this discussion is hardly related to email, as - as many have >noted - there's hardly any certificate checking at all between MTAs. Do you want to tell, that MUAs communications are not part of email? Do our MTAs works only for self and mails ends nowhere or they provides transport channel for end users and thus end users are what matter? Or all your users still authentificate and sends/reads own mails over plaintext and TLS is important only in MTA-MTA? As someone other pointed, MUAs doesn't do DANE, nor SCT, nor anything extra to check certs. AFAIK support of SCRAM+ auth is not common (if any). In other words, that XMPP incident is fully applicable to email and it is possible to intercept your users connections and one can only very little to do, to avoid that. Mary: the server authentication is required part of TLS, thus that was success break of TLS. As with the chain, the TLS is only as secure as its individual parts are... Yes, it is nothing new, and yes, the server's auth was success due valid (but rogue) certificate. That cert was issued due MiTM, that is known problem too, but then it can be insufficience in ACME (or PKI), but anyway it shows as can be TLS breaked. AFAIK in the TLS 1.3 significantly reduced amount of cipher suites (beside other), thus it significantly reduces possibility to use of weak ciphers, or opposite, increases encryption security. But the TLS is (or should be) not only about encryption. The question, which comes into my mind is, if ommiting other parts of TLS was not intended... regards -- Slavko https://www.slavino.sk/ _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
