> On 10/16/2013 03:28 PM, Stephen Kent wrote: > > Stephen, > > > > Just commenting on one of your comments ... > >> ... > >>> What is this "cleartext IMAP" of which you speak? > >> I guess that's a fair comment - we don't know that they're > >> able gather to inbox data via IMAP due to it being sent in > >> clear, however that seems like a reasonable guess based > >> on the newspaper story which says that collection is done > >> by telcos that are "overseas" and assuming that TLS is not > >> busted for these services. > > Based only on the story that you cited, and your observation about > > telcos being the sources of the info, might it be the case that the > > telcos were also the mail providers? I'm not sure how to interpret > > the slides the the cite story included. That sort of explanation > > would be consistent with Ned's observations about commercial provider > > use of SSL to protect IMAP/POP access.
> That could be but I guess we're not likely to be told;-) > I did take a peek to see if I could figure out if there're > lots of services running on 143 without STARTTLS but haven't > found anything that answers that question. I did find > this [1] (no idea how accurate though) which says their > survey found 4.7M listeners on 143, but there's no info > about how many have a usable STARTTLS config. But more to the point, the same study found 3.9M listeners on port 993. And these days most clients try 993 first and only then fall back to port 143. Assuming that everyone offering port 993 also offers 143, this would indicate that at least 83% of IMAP servers out there are capable of being used in a secure fashion. Which I have to say is a lot better than I expected. But as I indicated previously, when it comes to addressing pervasive surveilance of large numbers of users, even if we restrict ourselves to the IMAP space this sort of survey is completely meaningless because if fails to take the number of users on a server into account. My home server, with its whopping total of 3 IMAP users is almost certainly on that list under two IPs, and so is another server I know of, also under just two IPs, that hosts around 100 million users. According to The Radicati Group, the ISP/MSP space is dominated by software produced by folks like Critical Path (Intermail), Openwave Messaging, and yes, Oracle (Oracle CMES). Now take a look at where these products rank on the list you cite. Like it or not, the email world is hugely lopsided and getting even more so as an increasing number of small ISPs and enterprises migrate to hosted solutions in the cloud. This growing concentration is both a curse and a blessing: On the one hand, it means that a single exposure, like the fact that Yahoo's webmail doesn't offer SSL/TLS even as an option (and is almost certainly a major source of the information collection we're talking about here). But on the other hand, when Yahoo implements SSL/TLS on their web mail, as they have now said they are going to do in 2014, a major exposure will be blocked. Now think what a benefit it would be if SMTP traffic between Gmail, Apple, and Yahoo was all done over encrypted links. > With that > number of services, I guess collecting O(10^5) "inboxes" > per day in plaintext could be credible, but who knows. That number is credible coming just from Yahoo web mail, which we know is wide open and which we know they were collecting because it's referenced directly on the slides. You *really* need to start thinking on a larger scale here. Some additional information about the state of web mail showed up in SANS Newsbites the other day: --Yahoo Webmail Gets Default SSL Protection in January (October 14, 2013) Yahoo has announced that starting on January 8, 2014, all Yahoo mail will be protected by SSL by default. Microsoft has offered optional SSL protection since 2010 and it has been default for Microsoft webmail since July 2012. Facebook implemented SSL for all connections several months ago; it has been an option since 2011. Twitter offered it as an option at the beginning on 2011 and made it default by August of that year. Google has had SSL on by default since 2010, an option since 2008. Yahoo began offering the option of SSL encryption earlier this year. http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/14/yahoo-to-make-ssl-encryption-the-default-for-webmail-users-finally/ http://news.cnet.com/8301-1009_3-57607486-83/yahoo-mail-finally-turns-on-ssl/ http://www.theregister.co.uk/2013/10/15/yahoo_mail_encryption_by_default_in_2014/ > But, nonetheless I think the question about 3-flavours > of IMAP and MTI is still worth thinking about. Not along the lines you seem to be considering. Ned _______________________________________________ perpass mailing list perpass@ietf.org https://www.ietf.org/mailman/listinfo/perpass
