On Fri, Aug 07, 2015 at 02:55:42AM +0200, DTNX Postmaster wrote:
> For most systems, monitoring the status of their encryption just isn't
> done at all; they use the defaults their device or server came with at
> the time they purchased it, and rarely keep up with the times.
They don't need to. There's nothing wrong with outdated crypto on
systems that wouldn't even encrypt if encryption weren't on by
default. We'll get more decent security through a natural process
of deployment of more capable systems and retirement of less capable
systems. Eventually, there'll be no demand for RC4 (for example),
and we'll be able to turn it off with no noticeable degradation to
cleartext. Later still (another ~5 years?) we'll be able to turn
off TLS 1.0...
> Also, unlike HTTPS, there is no way to surface the usage of bad
> settings to the user and raise awareness that way, because the user
> (employee or customer) has no real visibility into the state of
> transport encryption between MTAs. There is generally very little they
> can leverage to force change, even if they wanted to.
Indeed "bad settings" are systems with broken DANE TLSA records
that make it painful for others to enable decent security. Folks
who just go with the flow and don't break anything are not a problem.
I want to encourage capable administrators who can operate a signed
DNSSEC zone without outages, and can document and perform key
rotation correctly, to publish DANE TLSA RRs. I'd like to discourage
others from doing so, if they don't have the determination, skill
or discipline to do it well.
> In other words, you gain NOTHING by dropping RC4 connections down to
> plain text, at this point. It makes you, as a delivery destination,
> less secure. You're punishing the end user out of some misplaced sense
> of righteousness, doing disservice to both them and the recipients you
> are responsible for.
>
> The only reason to disable old ciphers still in use for MTA-to-MTA
> traffic is if leaving them enabled makes your systems vulnerable. In
> all other cases, fallback to plain text is worse.
Yes. This is why we've disabled EXPORT ciphers, and similarly
weak, but no longer used legacy TLS features, but are aggressively
hardening opportunistic TLS beyond that. And we'll continue to
ship Postfix with reasonable default settings.
--
Viktor.
