On 21/08/17 22:18, Joseph Tam wrote:
Lest anyone think STARTTLS MITM doesn't happen,
https://threatpost.com/eff-calls-out-isps-modifying-starttls-encryption-commands/109325/3/
Not only for security, I prefer port 993/995 as it's just plain simpler
to initiate SSL from the get-go rather than to do some handshaking that
gets you to the same point.
Frankly, after reading the above link and some more info on the internet
on the subject, I am now wondering why do we bother at all with STARTTLS
for imap, pop3 and even smtp (and by the way, port 465 for SMTP +
SSL/TLS *is* indeed deprecated officially)? It would appear that
STARTTLS is significantly more vulnerable to MITM attacks than plain
SSL/TLS for all the above protocols. Is the slight extra convenience of
opportunistic encryption really worth the substantial loss in security?
