Ed Gerck wrote:
List,
I would like to address and request comments on the use of SSL/TLS and
port 587 for email security.
The often expressed idea that SSL/TLS and port 587 are somehow able to
prevent warrantless wiretapping and so on, or protect any private
communications, is IMO simply not supported by facts.
Warrantless wiretapping and so on, and private communications
eavesdropping are done more efficiently and covertly directly at the
ISPs (hence the name "warrantless wiretapping"), where SSL/TLS
protection does NOT apply. There is a security gap at every negotiated
SSL/TLS session.
It is misleading to claim that port 587 solves the security problem of
email eavesdropping, and gives people a false sense of security. It is
worse than using a 56-bit DES key -- the email is in plaintext where it
is most vulnerable.
Perhaps you'd like to expand upon this a bit. I am a bit confused by
your assertion. tcp/587 is the standard authenticated submission port,
while tcp/465 is the normal smtp/ssl port - of course one could run any
mix of one or the other on either port. Are you suggesting that some
postmasters/admins are claiming that their Submission ports are encrypted?
--
[EMAIL PROTECTED]
fingerprint: 1024D/89420B8E 2001-09-16
No one can understand the truth until
he drinks of coffee's frothy goodness.
~~Sheik Abd-al-Kadir
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]