On 20.05.2014 16:21, Viktor Dukhovni wrote:
We did discuss and
change the scoring soon after the service launched, while originally
being based on the scoring system from Ivan Ristic @ Qualys at
ssllabs.com for https. Yes, perhaps stupid, but it seemed better than
creating our own scoring system.
Opportunistic TLS in SMTP is nothing like mandatory TLS in HTTPS.
Yes, it uses the same protocol engine, but the threat model is
completely different. The sooner people stop carrying over flawed
reasoning from HTTPS to SMTP+STARTTLS the better.
Please change your site to reflect the correct risk model (opportunistic
TLS). You should also add support for DANE, so that DANE-capable
MTAs are not mis-identified as insecure (for example DANE-EE(3)
certificate usage obviates the need for the hostname to match).
I second this. I have been using the site since it became public and
have discussed the same with the designers ad nauseum, and there seems
to be little interest in wanting to understand that TLS in context of
HTTP and SMTP are two very different worlds in terms of starting
problems and possible archievements.
I run what I consider to be fairly well configured MXes for customers,
and this site generally tends to cap my score at 68% given the support
for weaker protocols.
Not only is it misleading for people trying to configure their own
servers, but it has drawn attention from customers which not always have
the understanding of why this site hands out these scores it does.
So basically, untill the site can relfect the real world, it seem to be
of limited use.
mvh,
A
--
Alexander Hoogerhuis | http://no.linkedin.com/in/alexh
Boxed Solutions AS | +47 908 21 485 - al...@boxed.no
"Given enough eyeballs, all bugs are shallow." -Eric S. Raymond
