On Fri, Jul 19, 2002 at 02:40:16PM -0400, Owen, Greg wrote:
| > I saw this behavior in Norton AV 2000. After searching their
| > web site, I found the information saying that they just plain
| > don't support SSL encrypted email. You have to pick, auto-scan
| > AV, or encrypted session.
|
| I ran into this bug (yes, I'll call it a bug) in Norton a few
| months ago. I can only say that there is a special circle in hell
| reserved for companies which _silently_ disable security measures in
| order to let their product carry out a procedure (especially a redundant
| procedure).
|
| While we're on STARTTLS issues, another security issue people
| should be aware of is that mail clients (I've seen this on OE, but I'm
| betting it is pretty common) only use SSL for encryption, not
| authentication. In other words, if you just happen to be in a hotel
| with one of those ethernet devices, and the hotel ISP happens to
| silently redirect port 25 to their own SMTP relay, and their SMTP relay
| supports STARTTLS with a valid certificate, then your mail client will
| very happily transmit your SMTP AUTH credentials to their server,
| thinking it is your own that it is talking to. This one bit me at SANS
| Orlando 2002 (Thank you, Marriot...)
So if the Marriot can do this, why can't Norton?
It seems to be the perfect solution; encrypt to the AV product, which
is doing a MITM attack, and then from the AV product to your mail
server.
Which of course will make figuring out what the cert on the far end is
*even trickier*, but hey, its a small price to pay for
anti-eavesdropping.
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
