On Thu, Aug 10, 2006 at 04:06:38PM -0600, Bob Beck wrote:
> > Also, while STARTTLS does have its merits, it's still better suited for
> > handling MTA authentication than protecting user data - use GPG for the
> > latter.
>
> STARTTLS opportunistically between MTA's is wonderful for
> making shit like Carnivore unusable. The Government should not be
> able to do that so easily. Make them break into your Windows machine and
> install a keylogger like everyone else does.
STARTTLS is something that is marginally useful for data security - if
the FBI is really after you, do you think they will have any troubles
with tapping a little farther upstream?
No, e-mail privacy is handled by GnuPG, S/MIME, or whatever half-baked
scheme you can cook up - STARTTLS isn't the answer, especially if your
implementation will happily speak plain SMTP if STARTTLS isn't
available [1].
Certainly, wide deployment of STARTTLS would make endpoint sniffing less
useful, but it's not like centralized sniffing isn't more efficient
anyway.
Joachim
[1] Man-in-the-middle, anyone? This same problem applies to many MUAs.
