[113834] in cryptography@c2.net mail archive
Re: SSL/TLS and port 587
daemon@ATHENA.MIT.EDU (sjk)
Wed Jan 23 08:03:05 2008
Date: Tue, 22 Jan 2008 23:31:57 -0600
From: sjk <sjk@cupacoffee.net>
To: Ed Gerck <edgerck@nma.com>
CC: Cryptography <cryptography@metzdowd.com>
In-Reply-To: <47963820.7060802@nma.com>
Ed Gerck wrote:
> List,
>
> I would like to address and request comments on the use of SSL/TLS and
> port 587 for email security.
>
> The often expressed idea that SSL/TLS and port 587 are somehow able to
> prevent warrantless wiretapping and so on, or protect any private
> communications, is IMO simply not supported by facts.
>
> Warrantless wiretapping and so on, and private communications
> eavesdropping are done more efficiently and covertly directly at the
> ISPs (hence the name "warrantless wiretapping"), where SSL/TLS
> protection does NOT apply. There is a security gap at every negotiated
> SSL/TLS session.
>
> It is misleading to claim that port 587 solves the security problem of
> email eavesdropping, and gives people a false sense of security. It is
> worse than using a 56-bit DES key -- the email is in plaintext where it
> is most vulnerable.
Perhaps you'd like to expand upon this a bit. I am a bit confused by
your assertion. tcp/587 is the standard authenticated submission port,
while tcp/465 is the normal smtp/ssl port - of course one could run any
mix of one or the other on either port. Are you suggesting that some
postmasters/admins are claiming that their Submission ports are encrypted?
--
sjk@cupacoffee.net
fingerprint: 1024D/89420B8E 2001-09-16
No one can understand the truth until
he drinks of coffee's frothy goodness.
~~Sheik Abd-al-Kadir
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
